May 22, 2013

2.1.1 Control Type

Control Type

The very essence of computer security is the assessment and management of security risks in an organization. Evaluating and taking necessary actions to tackle these risks is defined as control.

A security risk could be anything from malicious code to social engineering. Risk management includes Risk acceptance, avoidance, mitigation, deterrence, and transference. Control type is a risk mitigation strategy employed in various levels for effective risk management.

Control types are mitigation strategies followed in order to control the impact of risks by defending vulnerabilities and preventing exploits, thereby reducing the likely impact of a security risk. This is brought about by a strategy called multi-layered defensive strategy or “Defense in depth”.

Defense in depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. (Rouse)

This strategy was first developed by the military to defend strategic military asset with layers of defense that force the attacker to expend more energy, resource and supplies (Small, 2011). As a military strategy, the primary goal of each layer is to delay an attack, giving up space to gain time to generate effective countermeasures. This strategy is adapted by the cyber world to protect the confidentiality, integrity and availability of data and information in a computer network.

In order to mitigate risks, three general types of controls are used, they are: management control, technical control and operational control.
  1. Management control: Management controls are security controls for an information system that focus on the management of risk and the management of information system security. They are involved with administrative and management level mitigation of security risks through methods such as effective security policies, Business Continuity management, regulatory compliance and vulnerability assessments. As an example, some companies follow a policy that prevents employees from taking laptops, other gadgets and storage devices to the work place. This prevents the risk of data theft by employees and the like. An example for this type of control policy is ISO/IEC 27001:2005. This Internet Security Management Systems (ISMS) standard recommends a set of criteria and policy for an organization to defend itself from security threats.

  2. Technical control: Technical controls are security controls for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. (NIST) They involve control measures like access control, authentication methods, encryption services, and data classification services. It includes devices, processes, protocols, and measures used to protect the confidentiality, integrity and availability (CIA) of sensitive information (James E. Purcell, 2007).

  3. Operational control: Operational Controls section addresses security controls that focus on controls that are, broadly speaking, implemented and executed by people (as opposed to systems). (NIST)

    They include incident handling, contingency planning, computer support and physical and environmental security and user awareness training. A critical part of this control is the physical security control. Security measures such as CCTVs, controlled access, safety gears, etc. comes under this type.
Most controls apply across the boundaries between management, operational, and technical. Several security controls are employed to tackle different security related issues. Understanding the purpose behind each of them helps a learner differentiate why one method scores over another in a particular scenario. This knowledge is vital when it comes to formulating a strategy to mitigate threats and securing vulnerabilities. 


No comments:

Post a Comment