Section 6: Security Controls ‫ضوابط امن المعلومات‬

Introduction:

 Security controls play an important role in supporting an organization's

defense against cybersecurity threats. A well-designed and effectively
implemented set of controls can significantly reduce risks, protect critical
assets, and ensure the continuity of operations in an increasingly complex
digital landscape.
 Security controls are typically implemented based on risk assessments and
security frameworks to address specific threats and vulnerabilities. They form
an essential part of an organization's overall cybersecurity strategy, helping to
maintain the confidentiality, integrity, and availability of critical systems and
data.

What does security controls mean?

Security controls refer to measures, safeguards, or countermeasures put in place to
manage, mitigate, or reduce the risks and threats to an organization's information
systems, data, infrastructure, and assets. These controls are implemented to protect
against unauthorized access, misuse, disruption, or destruction of sensitive
information and resources.

1
Goals of Security Controls

The goal of security controls is to avoid, detect, counteract, or minimize security

risks to physical property, information, computer systems, or other assets.

Types of Security Controls: These controls can be categorized into several types:

1- Administrative Controls:‫ الضوابط االدارية‬These controls consist of policies,

procedures, guidelines, and standards that guide an organization's security
posture. Examples include security policies, risk management frameworks,
security awareness training, and incident response plans.

 Training and awareness.‫التدريب والتوعية‬

 Disaster preparedness and recovery plans.‫التأهب للكوارث وخطط التعافي‬
 Personnel recruitment and separation strategies. ‫إستراتيجيات توظيف‬
‫وفصل الموظفين‬
 Personnel registration and accounting.‫تسجيل الموظفين والمحاسبة‬
 It explains the procedures that show how to deal 1between employees,
2
between employees and senior management, 3how to deal with other
companies, 4how to deal with customers. These procedures should be
clear, strict and the principle of punishment/penalty and reward used.

2- Technical Controls:‫ الضوابط الفنية‬These controls involve using technology

and tools to protect systems and data. They can be further divided into
subcategories:
 Access Controls: These manage and restrict access to resources. This
includes user authentication (passwords, biometrics), authorization
(role-based access control), and encryption.

2
  Firewalls and Network Security: Firewalls are used to monitor and
control incoming and outgoing network traffic based on predetermined
security rules. Other network security controls include intrusion
detection and prevention systems (IDPS), VPNs (Virtual Private
Networks), and secure network architecture designs.
 Endpoint Security: Protecting individual devices such as computers,
laptops, and mobile devices. Antivirus software, endpoint encryption,
and application whitelisting are examples of endpoint security controls.
 Encryption: Protects data by converting it into a cipher text that can
only be read by authorized parties who possess the decryption key.
 Logging and Monitoring: This involves collecting, analyzing, and
monitoring logs and events from various systems to identify and
respond to security incidents. Security Information and Event
Management (SIEM) tools fall into this category.

3- Physical Controls:‫ الضوابط المادية‬These controls are implemented to secure

physical access to facilities, equipment, and resources. Examples include
security guards, locks, access badges, surveillance cameras, and secure
facility designs.
Requirements that must cover by the physical security controls
1. Authorized access to critical places in the organization such as:
 Data center.
 Disaster recovery center.
 Security monitoring system.
 Where sensitive data are stored and processed.
 Network monitoring room.

3
 Who is allowed? & who is not allowed

2. Access and monitoring logs.‫سجالت الدخول و المراقبة‬

3. Secure methods of physical assets destruction that contain sensitive
information such storage media (paper documents, storage media such
as hard drives, etc. by using hard drive shredding, and paper shredding.

4- Operational Controls:‫ الضوابط التشغيلية‬These controls involve processes and

procedures to ensure the ongoing security and functionality of systems. They
cover aspects such as backup and recovery plans, change management,
incident response, and disaster recovery.

5- Legal and Compliance Controls‫الضوابط القانونية و االمتثال‬: These controls

ensure that an organization complies with relevant laws, regulations, and
industry standards. They involve activities such as regular audits, compliance
assessments, and legal obligations concerning data protection and privacy.

Purpose of Security Controls: Security controls can be categorized into different

types based on their purpose and functionality:

1- Preventative Controls:‫ الضوابط الوقائية‬These controls aim to stop security

incidents before they occur. Examples include firewalls, access controls,
encryption, strong authentication mechanisms, and security awareness
training for employees.

4
2- Detective Controls:‫ الضوابط االستكشافية‬These controls are designed to identify
and detect security incidents or breaches that have occurred. Intrusion
detection systems, security monitoring tools, and log analysis are examples of
detective controls.

3- Corrective Controls:‫ الضوابط التصحيحية‬Once a security incident has been

detected, corrective controls are activated to minimize the damage and restore
the affected systems to their normal state. Incident response plans, backup and
recovery procedures fall under this category.

4- Directive Controls:‫ الضوابط التوجيهية‬These controls establish policies,

procedures, and guidelines to govern the behavior of individuals within an
organization. They include security policies, acceptable use policies, and
security training to guide employees on proper security practices.

5
Summary