This article may be confusing or unclear to readers.(January 2012) Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.[1] In the field of information security, such controls protect the confidentiality, integrity and availability of information.
Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency.
Security controls can be classified by various criteria. For example, controls are occasionally classified by when they act relative to a security breach:
Security controls can also be classified according to their characteristics, for example:
For more information on security controls in computing, see Defense in depth (computing) and Information security Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Some of the most well known standards are outlined below. International Standards OrganizationISO/IEC 27001 specifies 114 controls in 14 groups:
U.S. Federal Government information security standardsThe Federal Information Processing Standards (FIPS) apply to all US government agencies. However, certain national security systems, under the purview of the Committee on National Security Systems, are managed outside these standards. Federal information Processing Standard 200 (FIPS 200), "Minimum Security Requirements for Federal Information and Information Systems," specifies the minimum security controls for federal information systems and the processes by which risk-based selection of security controls occurs. The catalog of minimum security controls is found in NIST Special Publication SP 800-53. FIPS 200 identifies 17 broad control families:
National Institute of Standards and Technology NIST Cybersecurity FrameworkA maturity based framework divided into five functional areas and approximately 100 individual controls in its "core." NIST SP-800-53A database of nearly one thousand technical controls grouped into families and cross references.
Commercial Control SetsCOBIT5A proprietary control set published by ISACA.[2]
CIS Top-20A commercially licensable control set published by the Center for Internet Security.[3]
ts mitigationAn open (Creative Commons) and commercially licensable control set from Threat Sketch.[4]
In telecommunications, security controls are defined as security services as part of the OSI Reference model
These are technically aligned.[5][6] This model is widely recognized.[7][8] The intersection of security risk and laws that set standards of care is where data liability are defined. A handful of databases are emerging to help risk managers research laws that define liability at the country, province/state, and local levels. In these control sets, compliance with relevant laws are the actual risk mitigators.
There are a wide range of frameworks and standards looking at internal business, and inter-business controls, including:
|