Security controls play a foundational role in shaping the actions cyber security professionals take to protect an organization.
There are three main types of IT security controls including technical, administrative, and physical. The primary goal for implementing a security control can be preventative, detective, corrective, compensatory, or act as a deterrent. Controls are also used to protect people as is the case with social engineering awareness training or policies.
The lack of security controls places the confidentiality, integrity, and availability of information at risk. These risks also extend to the safety of people and assets within an organization.
In this article, I’m going to explain what security control is and the differences between each type. Next, I’ll discuss the goals that each control is meant to achieve with examples along the way.
By the end, you’ll have a better understanding of the basic security controls in cyber security.
In this article you will learn more about:
What Is A Security Control?
Security controls are countermeasures or safeguards used to reduce the chances that a threat will exploit a vulnerability.
For example, implementing company-wide security awareness training to minimize the risk of a social engineering attack on your network, people, and information systems.
The act of reducing risk is also called risk mitigation.
While it’s next to impossible to prevent all threats, mitigation seeks to decrease the risk by reducing the chances that a threat will exploit a vulnerability.
Risk mitigation is achieved by implementing different types of security controls depending on:
What Are The Goals Of Security Controls?
The overall purpose of implementing security controls as previously mentioned is to help reduce risks in an organization.
In other words, the primary goal of implementing security controls is to prevent or reduce the impact of a security incident.
The effective implementation of security control is based on its classification in relation to the security incident.
The common classifications types are listed below along with their corresponding description:
Implementing the controls listed is no trivial matter.
For example, an organization that places a high priority on reducing risk usually has a risk profile, which illustrates the potential cost of a negatively impacting risk and the human resources required to implement the control(s).
Layering Security Controls
Layering is an approach that combines multiple security controls to develop what’s called a defense-in-depth strategy.
Defense-in-depth is a common security strategy used whereby multiple layers of controls are implemented.
Recommended by LinkedIn
By combining controls into multiple layers of security you ensure that if one layer fails to counteract a threat that other layers will help to prevent a breach in your systems.
Each layer of security works to counteract specific threats, which requires cyber security programs to invest in multiple technologies and processes to prevent systems or people from being compromised.
For example, Endpoint detection and response solutions are great at preventing viruses and malware from infecting computers and servers.
However, endpoint detection is not equipped to log and monitor traffic on a network like a SIEM, or detect and prevent an attack in real-time like an IPS.
Understanding The Basics Of Risks & Threats
Before we dive into control types, it’s important to first understand the cyber risks and threats they help to mitigate.
Risks
Risks in cyber security are the likelihood that a threat will exploit a vulnerability resulting in a loss. Losses could be information, financial, damage to reputation, and even harm customer trust.
Threats
Threats are any event with the potential to compromise the confidentiality, integrity, and availability (CIA) of information.
Threats come from outside an organization and from anywhere in the world connected to the internet. Insiders such as a disgruntled employee with too much access, or a malicious insider also pose a threat to businesses.
Note, insider threats are not always malicious. For example, an employee clicking on a phishing email that installs malware does not mean the employee intended to cause harm.
Finally, threats may also take the form of a natural disaster or be a manmade risk such as a new malware variant.
Vulnerabilities
Vulnerabilities are a weakness or flaw in the software, hardware, or organizational processes, which when compromised by a threat, can result in a security incident.
Security Incidents
Security incidents are an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
Now that we have a better understanding of basic risk concepts let’s explore how security controls are implemented.
Technical Security Controls
At the most basic level, technical controls, also known as logic controls, use technology to reduce vulnerabilities in hardware and software. Automated software tools are installed and configured to protect these assets.
Examples of technical controls include:
We help enterprises with 360 cybersecurity services.
Follow PurpleSec for more vulnerability management and penetration testing content.