These are measures taken to reduce information security risks such as information systems breaches, data theft, and unauthorized changes to digital information or systems. These security controls are intended to help protect the availability, confidentiality, and integrity of data and networks, and are typically implemented after an information security risk assessment.
There are three categories of information security controls:
-
Preventive security controls, designed to prevent cyber security incidents
-
Detective security controls, aimed at detecting a cyber security breach attempt (“event”) or successful breach (“incident”) while it is in progress, and alerting cyber security personnel
-
Corrective security controls, used after a cyber security incident to help minimize data loss and damage to the system or network, and restore critical business systems and processes as quickly as possible (“resilience”)
4 TYPES OF INFOSEC CONTROLS
Types of information security controls include security policies, procedures, plans, devices and software intended to strengthen cybersecurity. In general, Information Security
controls come in the form of:
-
Physical Access Controls including restrictions on physical access such as security guards at building entrances, locks, and perimeter fences
-
Procedural Controls such as security awareness education, security framework compliance training, and incident response plans and procedures
-
Technical Controls such as multi-factor user authentication at login (login) and logical access controls, antivirus software, firewalls
-
Compliance Controls such as privacy laws and cyber security frameworks and standards.
When it comes to Compliance-based controls, the most widely used information security frameworks and standards include:
-
The National Institute of Standards and Technology (NIST) Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. This framework lists security requirements useful not only for federal agencies but for large enterprises, and any organization looking to minimize their cyber security risk
-
The International Organization for Standardization (ISO) standard ISO 27001, Information Security Management, , which provides guidance on information technology security and computer security.
-
The Payment Card Industry Data Security Standard (PCI DSS), which establishes security requirements and security controls for the protection of sensitive data associated with personal credit card and payment card information
-
HIPAA/HITECH for hospitals, insurance providers, and other organizations collecting personal health information (PHI)
-
Sarbanes-Oxley (SOX) for publicly traded companies and those planning to go public
-
Privacy Shield, which replaces the US-EU Safe Harbor, for organizations that collect and process data between the U.S. and European Union
Frameworks and standards are systems that, when followed, help an entity to consistently manage information security controls for all their systems, networks, and devices, including configuration management, physical security, personnel security, network security, and information security systems. They define what constitutes good cybersecurity practices and provide a structure that entities can use for managing their information security controls.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM