Defense-in-depth is the best strategy for reducing cybersecurity risk. Just like how a medieval castle uses layered defenses for its physical security, modern organizations implement layered security controls to protect the confidentiality, integrity, and availability of their information. The specific security controls implemented by an organization should be informed by its own risk appetite, regulatory requirements, and operational capabilities. This article covers different kinds of security controls organizations should consider adopting to protect their information assets.
Two Categories of Security Controls
While medieval castles primarily relied upon physical controls such as moats, gates, and guards for protection, information technology environments must, of course, be protected by more than just physical access to hardware. Nowadays, one way to think about a control is whether it’s (1) administrative or (2) technical.
Administrative controls regulate how a process should occur or what the appropriate actions of people are in an organization. Executive or departmental leaders are typically responsible for implementing administrative controls. Specific controls include developing policies and procedures, such as an Acceptable Use Policy or Guest Access Policy. Risk assessments, Incident Response, Disaster Recovery, and Business Continuity Plans are also examples of administrative controls. Overall, administrative controls attempt to control, by rulemaking, people’s conduct within an organization.
On the other hand, technical controls regulate the use of technology in an organization, specifically through some hardware, software, or firmware capability. Information technology leaders are typically responsible for implementing security controls. Specific controls include firewall rules, multi-factor authentication requirements, backup and restore schedules, and anti-virus software configurations. Overall, technical controls are intended to safeguard the way people and data interact across the informational technology environment.
Both administrative and technical controls work together to reduce an organization’s risk. Administrative controls are broadly applicable and enable shared understanding from stakeholders such that they can take appropriate actions on their own or as a team. Technical controls enable the flow of data and use of information technology in desirable ways. Organizations should adopt both administrative and technical controls across their environment.
Four Purposes of Security Controls
Another way to think about security controls is their purpose. Medieval castles had controls to prevent someone from entering them, such high walls and a single entrance.They also had roaming guards to detect for malicious activity and heavily armed fortifications to deter someone from attacking. To achieve defense-in-depth, organizations should adopt a variety controls with different purposes, such as (1) preventative, (2) deterrent, (3) detective, and (4) corrective controls.
Preventative controls seek to prevent an action from occurring by limiting the capability of something, such as firewall rules and removeable media restrictions.
Deterrent controls seek to prevent an action from occurring by dissuading someone from carrying out an attack, such as threats of fines and the presence of security cameras.
Deterrent controls are most effective when they are known to would-be malicious actors, whereas preventative controls don’t need to be known to be effective.
Detective controls seek to alert about the presence of harmful activity, such as alarms generated from log activity or the use of a confidential reporting line.
Corrective controls seek to mitigate the harm caused by an incident, such as restoring data from backups or having redundant systems in place in case one fails.
Overall, controls can be thought of as being either administrative or technical and serving a preventative, deterrent, detective, or corrective purpose. These two conceptions work together, such as an administrative-detective control being a visitor log whereas a technical-detective control being a Security Information and Event Management (SIEM) system.
Security Control Frameworks
Organizations seeking to improve their cybersecurity capabilities by implementing security controls do not have to start from scratch: several frameworks exist that include a variety of best practice security controls.
Two of the most common frameworks are the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the Center for Internet Security (CIS) Security Controls. Both frameworks are widely adopted by all kinds of organizations. Comprehensive gap assessments should be undertaken against the frameworks to determine where there are opportunities to improve organizational defense-in-depth.
The best way to reduce cybersecurity risk is by implementing layers of security controls. Sedara has virtual Chief Information Security Officers (vCISO) who serve as the tip of the spear for implementing administrative and technical security controls across an organization. They conduct gap assessments against different cybersecurity frameworks to determine where there’s organizational weak links. They expertly advise on a range of preventative, deterrent, detective, and correctional controls. Sedara’s vCISOs also work alongside Sedara’s Security Operations Center (SOC) to provide 24x7x365 continuous monitoring of an organization’s information technology environment. Contact Sedara today to learn how a vCISO can help your organization.