Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency.
Types of security controls
Security controls can be classified by various criteria. For example, controls are occasionally classified by when they act relative to a security breach:
Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders;
During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police;
After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible.
Security controls can also be classified according to their characteristics, for example:
Physical controlse.g. fences, doors, locks and fire extinguishers;
Procedural or administrative controlse.g. incident response processes, management oversight, security awareness and training;
Technical or logical controlse.g. user authentication (login) and logical access controls, antivirus software, firewalls;
Legal and regulatory or compliance controlse.g. privacy laws, policies and clauses.
Information security standards and control frameworks
Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Some of the most well known standards are outlined below.
International Standards Organization
ISO/IEC 27001:2022 was released in October 2022. All organizations certified to ISO 27001:2013 are obliged to transition to the new version of the Standard within 3 years (by October 2025).
The 2022 version of the Standard specifies 93 controls in 4 groups:
A.5: Organisational controls
A.6: People controls
A.7: Physical controls
A.8: Technological controls
It groups these controls into operational capabilities as follows:
Governance
Asset management
Information protection
Human resource security
Physical security
System and network security
Application security
Secure configuration
Identity and access management
Threat and vulnerability management
Continuity
Supplier relationships security
Legal and compliance
Information security event management; and
Information_security_assurance
The previous version of the Standard, ISO/IEC 27001, specified 114 controls in 14 groups:
A.5: Information security policies
A.6: How information security is organised
A.7: Human resources security - controls that are applied before, during, or after employment.
A.8: Asset management
A.9: Access controls and managing user access
A.10: Cryptographic technology
A.11: Physical security of the organisation's sites and equipment
A.12: Operational security
A.13: Secure communications and data transfer
A.14: Secure acquisition, development, and support of information systems
A.15: Security for suppliers and third parties
A.16: Incident management
A.17: Business continuity/disaster recovery (to the extent that it affects information security)
A.18: Compliance - with internal requirements, such as policies, and with external requirements, such as laws.
U.S. Federal Government information security standards
Federal information Processing Standard 200 (FIPS 200), "Minimum Security Requirements for Federal Information and Information Systems," specifies the minimum security controls for federal information systems and the processes by which risk-based selection of security controls occurs. The catalog of minimum security controls is found in NIST Special Publication SP 800-53.
FIPS 200 identifies 17 broad control families:
AC Access Control
AT Awareness and Training
AU Audit and Accountability
CA Security Assessment and Authorization (historical abbreviation)
CM Configuration Management
CP Contingency Planning
IA Identification and Authentication
IR Incident Response
MA Maintenance
MP Media Protection
PE Physical and Environmental Protection
PL Planning
PS Personnel Security
RA Risk Assessment
SA System and Services Acquisition
SC System and Communications Protection
SI System and Information Integrity
National Institute of Standards and Technology
NIST Cybersecurity Framework
A maturity based framework divided into five functional areas and approximately 100 individual controls in its "core."
A database of nearly one thousand technical controls grouped into families and cross references.
Starting with Revision 3 of 800-53, Program Management controls were identified. These controls are independent of the system controls, but are necessary for an effective security program.
Starting with Revision 4 of 800-53, eight families of privacy controls were identified to align the security controls with the privacy expectations of federal law.
Starting with Revision 5 of 800-53, the controls also address data privacy as defined by the NIST Data Privacy Framework.
Formerly known as the SANS Critical Security Controls now officially called the CIS Critical Security Controls (COS Controls).[3] The CIS Controls are divided into 18 controls.
CIS Control 1: Inventory and Control of Enterprise Assets
CIS Control 2: Inventory and Control of Software Assets
CIS Control 3: Data Protection
CIS Control 4: Secure Configuration of Enterprise Assets and Software
CIS Control 5: Account Management
CIS Control 6: Access Control Management
CIS Control 7: Continuous Vulnerability Management
CIS Control 8: Audit Log Management
CIS Control 9: Email and Web Browser Protections
CIS Control 10: Malware Defenses
CIS Control 11: Data Recovery
CIS Control 12: Network Infrastructure Management
CIS Control 13: Network Monitoring and Defense
CIS Control 14: Security Awareness and Skills Training
CIS Control 15: Service Provider Management
CIS Control 16: Application Software Security
CIS Control 17: Incident Response Management
CIS Control 18: Penetration Testing
The Controls are divided further into Implementation Groups (IGs) which are a recommended guidance to prioritize implementation of the CIS controls.[4]
These are technically aligned.[5][6] This model is widely recognized.[7][8]
Data liability (legal, regulatory, compliance)
The intersection of security risk and laws that set standards of care is where data liability are defined. A handful of databases are emerging to help risk managers research laws that define liability at the country, province/state, and local levels. In these control sets, compliance with relevant laws are the actual risk mitigators.
Perkins Coie Security Breach Notification Chart: A set of articles (one per state) that define data breach notification requirements among US states.[9]
NCSL Security Breach Notification Laws: A list of US state statutes that define data breach notification requirements.[10]
ts jurisdiction: A commercial cybersecurity research platform with coverage of 380+ US State & Federal laws that impact cybersecurity before and after a breach. ts jurisdiction also maps to the NIST Cybersecurity Framework.[11]
Business control frameworks
There are a wide range of frameworks and standards looking at internal business, and inter-business controls, including:
^
William Stallings
Crittografia e sicurezza delle reti
Seconda edizione
ISBN88-386-6377-7
Traduzione Italiana a cura di Luca Salgarelli
di Cryptography and Network security 4 edition
Pearson
2006
^Securing information and communications systems: principles, technologies, and applications
Steven Furnell, Sokratis Katsikas, Javier Lopez, Artech House, 2008 - 362 pages