1

Security controls

Security controls are safeguards or countermeasures to avoid, counteract or minimize

security risks relating to personal property, or computer software. For business-to-
business facing companies whose service may affect the financial statements of the other
company, the prospect may require successful audit reports of policy controls such as a
SSAE 16 report before granting them authorization as a vendor.

To help review or design security controls, they can be classified by several criteria, for
example according to the time that they act, relative to a security incident:
 Before the event, preventive controls are intended to prevent an incident from
occurring e.g. by locking out unauthorized intruders;
 During the event, detective controls are intended to identify and characterize an
incident in progress e.g. by sounding the intruder alarm and alerting the security
guards or police;
 After the event, corrective controls are intended to limit the extent of any damage
caused by the incident e.g. by recovering the organization to normal working status
as efficiently as possible.

Security controls can also be categorized according to their nature, for example:
 Physical controls e.g. fences, doors, locks and fire extinguishers;
 Procedural controls e.g. incident response processes, management oversight,
security awareness and training;
 Technical controls e.g. user authentication (login) and logical access controls,
antivirus software, firewalls;
 Legal and regulatory or compliance controls e.g. privacy laws, policies and
clauses.

A similar categorization distinguishes control involving people, technology and

operations/processes.
Information security controls protect the confidentiality, integrity and/or availability of
information (the so-called CIA Triad).
 2

Risk-aware organizations may choose proactively to specify, design, implement, operate

and maintain their security controls, usually by assessing the risks and implementing a
comprehensive security management framework such as ISO/IEC 27002, the Information
Security Forum's Standard of Good Practice for Information Security and NIST SP 800-53
(more below).

Organizations may also opt to demonstrate the adequacy of their information security
controls by being independently assessed against certification standards such as ISO/IEC
27001.

In telecommunications, security controls are defined as Security services as part of OSI

Reference model by ITU-T X.800 Recommendation. X.800 and ISO 7498-2 (Information
processing systems – Open systems interconnection – Basic Reference Model – Part 2:
Security architecture are technically aligned.

Information security standards and control frameworks

Numerous information security standards promote good security practices and define
frameworks or systems to structure the analysis and design for managing information
security controls. Some of the most well-known are outlined below.
 3

International information security standards

ISO/IEC 27001
 Risk assessment and treatment - analysis of the organization's information security
risks
 Security policy - management direction
 Organization of information security - governance of information security
 Asset management - inventory and classification of information assets
 Human resources security - security aspects for employees joining, moving and
leaving an organization
 Physical and environmental security - protection of the computer facilities
 Communications and operations management - management of technical security
controls in systems and networks
 Access control - restriction of access rights to networks, systems, applications,
functions and data
 Information systems acquisition, development and maintenance - building security
into applications
 Information security incident management - anticipating and responding
appropriately to information security breaches
 Business continuity management - protecting, maintaining and recovering business-
critical processes and systems
 Compliance - ensuring conformance with information security policies, standards,
laws and regulations
 U.S. Federal Government information security standards
 4

NIST: Special Publication SP 800-53 revision 3.

 AC Access Control.
 AT Awareness and Training.
 AU Audit and Accountability.
 CA Certification, Accreditation, and Security Assessments.
 CM Configuration Management.
 CP Contingency Planning.
 IA Identification and Authentication.
 IR Incident Response.
 MA Maintenance.
 MP Media Protection.
 PE Physical and Environmental Protection.
 PL Planning.
 PS Personnel Security.
 RA Risk Assessment.
 SA System and Services Acquisition.
 SC System and Communications Protection.
 SI System and Information Integrity.
 PM Program Management.

U.S. Department of Defense information security standards

From DoD Instruction 8500.2 there are 8 Information Assurance (IA) areas and the
controls are referred to as IA controls.
 DC Security Design & Configuration
 IA Identification and Authentication
 EC Enclave and Computing Environment
 EB Enclave Boundary Defense
 PE Physical and Environmental
 PR Personnel
 CO Continuity
 VI Vulnerability and Incident Management