Security controls

Security controls

Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks.

To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:
*Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders;
*During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police;
*After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible.(Some security professionals would add further categories such as deterrent controls and compensation. Others argue that these are subsidiary categories. This is simply a matter of semantics.)

Security controls can also be categorized according to their nature, for example:
*Physical controls "e.g." fences, doors, locks and fire extinguishers;
*Procedural controls "e.g." incident response processes, management oversight, security awareness and training;
*Technical controls "e.g." user authentication (login) and logical access controls, antivirus software, firewalls;
*Legal and regulatory or compliance controls "e.g." privacy laws, policies and clauses.A similar categorization distinguishes control involving people, technology and operations/processes.

Information security controls protect the confidentiality, integrity and/or availability of information (the so-called CIA Triad). Again, some would add further categories such as non-repudiation and accountability, depending on how narrowly or broadly the CIA Triad is defined.

Risk-aware organizations may choose proactively to specify, design, implement, operate and maintain their security controls, usually by assessing the risks and implementing a comprehensive security management framework such as ISO/IEC 27002, the Information Security Forum's Standard of Good Practice for Information Security and NIST SP 800-53 (more below). Organizations may also opt to demonstrate the adequacy of their information security controls by being independently assessed against certification standards such as ISO/IEC 27001.

=Information security standards and control frameworks=Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Some of the most well known are outlined below.

International information security standards

ISO/IEC 27001
#Risk assessment and treatment - analysis of the organization's information security risks
#Security policy - management direction
#Organization of information security - governance of information security
#Asset management - inventory and classification of information assets
#Human resources security - security aspects for employees joining, moving and leaving an organization
#Physical and environmental security - protection of the computer facilities
#Communications and operations management - management of technical security controls in systems and networks
#Access control - restriction of access rights to networks, systems, applications, functions and data
#Information systems acquisition, development and maintenance - building security into applications
#Information security incident management - anticipating and responding appropriately to information security breaches
#Business continuity management - protecting, maintaining and recovering business-critical processes and systems
#Compliance - ensuring conformance with information security policies, standards, laws and regulations

U.S. Federal Government information security standards

From NIST Special Publication SP 800-53 revision 1.

#AC Access Control
#AT Awareness and Training
#AU Audit and Accountability
#CA Certification, Accreditation, and Security Assessments
#CM Configuration Management
#CP Contingency Planning
#IA Identification and Authentication
#IR Incident Response
#MA Maintenance
#MP Media Protection
#PE Physical and Environmental Protection
#PL Planning
#PS Personnel Security
#RA Risk Assessment
#SA System and Services Acquisition
#SC System and Communications Protection
#SI System and Information Integrity


=U.S. Department of Defense information security standards=

From DoD Instruction 8500.2 there are 8 Information Assurance (IA) areas and the controls are referred to as IA controls.
#DC Security Design & Configuration
#IA Identification and Authentication
#EC Enclave and Computing Environment
#EB Enclave Boundary Defense
#PE Physical and Environmental
#PR Personnel
#CO Continuity
#VI Vulnerability and Incident Management

DoD assigns the IA control per CIA Triad leg.

ee also

* Access control
* Environmental design
* Physical Security
* Risk
* Security
* Security engineering
* Security management

References

* [http://iso-17799.safemode.org ISO 17799 Wiki]
* [http://www.isfsecuritystandard.com Information Security Forum's Standard of Good Practice for Information Security]
* [http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf NIST SP 800-53]
* [http://www.dtic.mil/whs/directives/corres/pdf/850002p.pdf DoD Instruction 8500.2]


Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • Security Architecture — Security provided by IT Systems can be defined as the IT system’s ability to being able to protect confidentiality and integrity of processed data, as well as to be able to provide availability of the system and data.“IT Architecture” may be… …   Wikipedia

  • Security awareness — is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. Many organizations require formal security awareness training for all workers when …   Wikipedia

  • Security Audit — Als IT Sicherheitsaudit (englisch IT Security Audit; von lateinisch audit: „er/sie hört“; sinngemäß: „er/sie überprüft“) werden in der Informationstechnik (IT) Maßnahmen zur Risiko und Schwachstellenanalyse (engl. Vulnerability Scan) eines IT… …   Deutsch Wikipedia

  • Security Scan — Als IT Sicherheitsaudit (englisch IT Security Audit; von lateinisch audit: „er/sie hört“; sinngemäß: „er/sie überprüft“) werden in der Informationstechnik (IT) Maßnahmen zur Risiko und Schwachstellenanalyse (engl. Vulnerability Scan) eines IT… …   Deutsch Wikipedia

  • Security Test — Als IT Sicherheitsaudit (englisch IT Security Audit; von lateinisch audit: „er/sie hört“; sinngemäß: „er/sie überprüft“) werden in der Informationstechnik (IT) Maßnahmen zur Risiko und Schwachstellenanalyse (engl. Vulnerability Scan) eines IT… …   Deutsch Wikipedia

  • Security guard — Private factory guard Occupation Activity sectors Security Description A security guard (or security officer) is a person who is paid to protect pro …   Wikipedia

  • Security Information Service — Bezpečnostní informační služba (BIS) Agency overview Formed 30 July 1994 Preceding agencies Security Information Service of the Czech Republic (1992) (Czechoslovak) Federal Security Information Service …   Wikipedia

  • Security-Enhanced Linux — The SELinux administrator in Fedora 8 Security Enhanced Linux (SELinux) is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense style mandatory access controls,… …   Wikipedia

  • Security and safety features new to Windows Vista — There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.Beginning in early 2002 with Microsoft s announcement of their Trustworthy Computing… …   Wikipedia

  • Security Content Automation Protocol — The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). The National Vulnerability Database… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”