Designing and implementing proper security controls requires a systematic and thorough approach to ensure the confidentiality, integrity, and availability of information systems and data.
It is important to note that designing and implementing proper security controls is an ongoing process that requires continuous monitoring and improvement. Effective security controls will help protect the confidentiality, integrity, and availability of information and systems, and reduce the risk of data breaches and other security incidents.
Here are the steps to follow:
- Assess risk: Start by identifying potential security threats and assessing the risk to your organization. This will help determine what types of controls are necessary to mitigate those risks.
- Choose security controls: Based on the risk assessment, select the appropriate security controls to implement. This may include technical controls such as firewalls, access control systems, and encryption, as well as administrative controls such as policies, procedures, and employee training.
- Implement security controls: Once the security controls have been selected, implement them in a manner that is consistent with best practices and industry standards. Ensure that the controls are integrated with existing systems and processes and that they are tested and validated to ensure their effectiveness.
- Monitor and review: Continuously monitor and review the security controls to ensure they are functioning as intended. Regularly assess the effectiveness of the controls and make changes as necessary to ensure that they continue to meet the organization’s security requirements.
- Update policies and procedures: Regularly review and update policies, procedures, and standards to reflect changes in the threat landscape, security best practices, and organizational requirements.
- Provide ongoing training: Provide ongoing training to employees to ensure that they understand the importance of information security and are aware of the security controls in place.
Information security is largely about managing risk. That means IT controls are implemented depending on the risk they are designed to manage. The focus is on mitigating risk by implementing appropriate security controls.
Here are some ways to deal with risk.
- Risk can be Avoided
- Risk can be Transferred
- Risk can be Accepted
The following activities consider the implementation of controls within the context of such a framework:
- Discover and classify data and information systems
- Select security controls
- Implement security controls
- Assess security controls
- Authorize the controls
- Monitor the controls
Selecting security controls is best approached by first adhering to a common set of basic or baseline controls. We might need to apply additional controls that are specific to the system or application.
Some common control baselines from the NIST Standard 800-53:
| CONTROLS FAMILY | CONTROL EXAMPLES |
|---|---|
| Access Control | Account Management; Separation of Duties; Least Privilege |
| Awareness and Training | Security Awareness; Security Training; Training Records |
| Audit and Accountability | Audit of Record Retention; Auditable Events |
| Security Assessment and Authorization | Plan of Action and Milestones; Security Authorization |
| Configuration Management | Baseline Configuration; Configuration Change Control |
| Contingency Planning | Contingency Training; Alternate Storage Site |
| Identification and Authentication | Identifier Management; Cryptographic Module Authentication |
| Incident Response | Incident Handling; Incident Monitoring; Incident Reporting |
| Maintenance | Controlled Maintenance; Maintenance Tools |
| Media Protection | Media Access; Media Marking; Media Storage |
| Physical and Environmental Protection | Physical Access Controls; Visitor Control; Fire Protection |
| Planning | System Security Plan; Privacy Impact Assessment |
| Personal Security | Personnel Screening; Personnel Termination |
| Risk Assessment | Security Categorization; Vulnerability Scanning |
| System and Services Acquisition | Allocation of Resources; Security Engineering Principles |
| System and Communications Protection | Denial of Service Protection; Boundary Protection |
| System and Information Integrity | Malicious Code Protection; Spam Protection; Error Handling |
| Program Management | Enterprise Architecture; Risk Management Strategy |
Some Critical Security Controls from the CIS Supported by SANS:
Conclusion:
In conclusion, proper security controls play a crucial role in protecting the IT infrastructure and ensuring compliance with regulations and standards. Designing and implementing these controls involves identifying the risk areas, determining the control objectives, selecting appropriate security controls, and monitoring the implementation for effectiveness. It is important to regularly review and update the security controls to ensure their continued effectiveness in protecting the IT infrastructure.