Security controls


Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.
Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency.

Types of security controls

Security controls can be classified by several criteria. For example, according to the time that they act, relative to a security incident:
They can also be classified according to their nature, for example:
Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Some of the most well known are outlined below.

International Standards Organization

specifies 114 controls in 14 groups:
The Federal Information Processing Standards apply to all US government agencies. However, certain national security systems under the purview of the Committee on National Security Systems are managed outside these standards.
Federal information Processing Standard 200, "Minimum Security Requirements for Federal Information and Information Systems", specifies the minimum security controls for federal information systems and the processes by which risk-based selection of security controls occurs. The catalog of minimum security controls is found in NIST Special Publication .
FIPS 200 identifies 17 broad control families:
  1. AC Access Control.
  2. AT Awareness and Training.
  3. AU Audit and Accountability.
  4. CA Security Assessment and Authorization.
  5. CM Configuration Management.
  6. CP Contingency Planning.
  7. IA Identification and Authentication.
  8. IR Incident Response.
  9. MA Maintenance.
  10. MP Media Protection.
  11. PE Physical and Environmental Protection.
  12. PL Planning.
  13. PS Personnel Security.
  14. RA Risk Assessment.
  15. SA System and Services Acquisition.
  16. SC System and Communications Protection.
  17. SI System and Information Integrity.
National Institute of Standards and Technology

'''NIST Cybersecurity Framework'''

A maturity based framework divided into five functional areas and approximately 100 individual controls in its "core."

'''NIST SP-800-53'''

A database of nearly one thousand technical controls grouped into families and cross references.

COBIT5

A proprietary control set published by ISACA.
A commercially licensable control set published by the Center for Internet Security.
An open and commercially licensable control set from Threat Sketch.
In telecommunications, security controls are defined as security services as part of the OSI Reference model
These are technically aligned. This model is widely recognized.

Data Liability (legal, regulatory, compliance)

The intersection of security risk and laws that set standards of care is where data liability are defined. A handful of databases are emerging to help risk managers research laws that define liability at the country, province/state, and local levels. In these control sets, compliance with relevant laws are the actual risk mitigators.
There are a wide range of frameworks and standards looking at internal business, and inter-business controls, including: