Published November 18, 2019 • By Thea Garcia • 2 min read
Information security controls are measures taken to reduce information security risks such as information systems breaches, data theft, and unauthorized changes to digital information or systems. These security controls are intended to help protect the availability, confidentiality, and integrity of data and networks, and are typically implemented after an information security risk assessment.Types of information security controls include security policies, procedures, plans, devices and software intended to strengthen cybersecurity. There are three categories of information security controls:
Preventive security controls, designed to prevent cyber security incidents
Detective security controls, aimed at detecting a cyber security breach attempt (“event”) or successful breach (“incident”) while it is in progress, and alerting cyber security personnel
Corrective security controls, used after a cyber security incident to help minimize data loss and damage to the system or network, and restore critical business systems and processes as quickly as possible (“resilience”)
Security controls come in the form of:
Access controlsincluding restrictions on physical access such as security guards at building entrances, locks, and perimeter fences
Procedural controls such as security awareness education, security framework compliance training, and incident response plans and procedures
Technical controls such as multi-factor user authentication at login (login) and logical access controls, antivirus software, firewalls
Compliance controls such as privacy laws and cyber security frameworks and standards.
The most widely used information security frameworks and standards include:
The National Institute of Standards and Technology (NIST) Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. This document lists security requirements useful not only for federal agencies but for all organizations’ information security risk management programs.
The International Organization for Standardization (ISO) standard ISO 27001, Information Security Management, which provides guidance on information technology security and computer security.
The Payment Card Industry Data Security Standard (PCI DSS), which establishes security requirements and security controls for the protection of sensitive data associated with personal credit card and payment card information
The Health Insurance Portability and Accountability Act (HIPAA), a federal law regulating information security and privacy protections for personal health information
Frameworks and standards are systems that, when followed, help an entity to consistently manage information security controls for all their systems, networks, and devices, including configuration management, physical security, personnel security, network security, and information security systems. They define what constitutes good cybersecurity practices and provide a structure that entities can use for managing their information security controls.
Fine-tune your InfoSec policy to boost cybersecurity