INFORMATION SECURITY CONTROLS
According to the National Institute of Standards and Technology, security controls are “safeguards and countermeasures prescribed for an information system to protect its information's confidentiality, integrity, and availability, meeting defined security requirements." In layman's terms, anything you do to protect your information.
It covers any policies, plans, devices, or procedures used to reduce the information risks of an organization.
Categories of Information Security Controls
You can categorize information security controls by type or goal. The different types of security controls are used to achieve different goals, and you can know what your organization needs through the categories.
By Type
· Physical Controls
Physical controls refer to the tangible measures you put into preventing unauthorized access to your premises and systems. It covers everything from your fences to the humidity controls. This countermeasure may be essential for an organization with physical assets at risk.
· Administrative Controls
Administrative controls, like the name, refer to measures like policies and procedures that guide business practices. It ensures that every action fits the organization’s security goals. These controls affect staff employment, equipment use, duty separation, and data auditing. Staff training on security issues also falls under this umbrella.
· Technical Controls
Technical controls, also known as logical controls, focus on using hardware and software mechanisms to protect information. It includes firewalls, antivirus software, authentication solutions, constrained interfaces, and encryption measures.
By Goals
· Preventive Controls
Preventive Controls stop the occurrence of unauthorized activities. It could be executed by using any of the types of controls. For example, fences and locks will keep burglars from your company, firewalls and antivirus will block out hackers and malicious software, and data auditing will prevent unauthorized data use. You implement preventive Controls in anticipation of risks peculiar to your industry or organization.
· Detective Controls
Detective controls help know when unwanted activities are in progress or have occurred. You would usually get an alert of unauthorized activity. It could also be implemented with different types of control. For instance, a door alarm will let you know if someone has entered a room without authorized access.
· Corrective Controls
Corrective controls are measures taken to salvage resources and repair damage after a breach. These controls are designed to restore the organization to its initial state. It also aids the strengthening of security controls. For example, the administrative control of implementing an incident response plan is a corrective measure. Technical corrective controls include rebooting an attacked system, patching the system, and quarantining the virus.
The information security measures needed differ from organization to organization. Therefore, it is essential to carry out a comprehensive information security risk assessment before deciding on your organization's security controls.