Controls

With our digital society's ever-growing reliance on data and interconnectivity, it is time to develop resilience with Next-Generation Information Security Controls.

Information Security Controls are wide ranging and can be implemented at every level of the OSI model. There are nearly 100 different categories of controls but in general terms they can be grouped into the following:

  • Directive (Policies etc)
  • Preventative (Reduce the likelihood of a security event)
  • Detective (Identify when a security event has occurred)
  • Corrective (Correct errors, omissions or malicious acts once they are detected)
  • Recovery (Associated with business continuity or disaster recovery and reduce the impact of a security event)

Whichever category they fall into, the purpose of an information security control is to preserve the confidentiality, integrity and availability of data, and reduce risk to a level that is acceptable to the organisation.  

Preserving the confidentiality, integrity and availability of data

Confidentiality is all about securing data and keeping it away from those that should not be accessing it.  Confidentiality is sometimes mandated by regulations or standards due to the sensitivity of the data in question.  Controls that could fall into this category include:

  • Encryption
  • Secure data transfer methods
  • Identity and Access Management
  • Multi-Factor Authentication
  • Security awareness training
  • Application management

Integrity is all about change control for data, ensuring that no unauthorised modifications take place without the knowledge and consent of the data owner. Controls that fit into this category could be:

  • File Integrity Monitoring
  • Malware Protection
  • Intrusion Detection System
  • Logging and Monitoring
  • Secure Coding practices

Availability is all about authorised users being able to access and use data whenever they need it. This has clear links to business continuity and disaster recovery. Controls that fall into this category could be:

  • Data Loss Prevention
  • Intrusion Prevention System
  • Backups
  • Vulnerability and Patch Management
  • Cloud adoption

The above lists are not restrictive as it is not always simple to categorise controls into one of the above three pillars of security.  Security events often have a wide variety of impacts due to the aggressive or transitional nature of an attack. As such, controls have to equally span one or more categories in order to be effective.

Evaluating Information Security Controls

Information security control objectives should complement those of the organisation, using controls to securely enable business processes rather than hindering them.  

Information Security Controls should be evaluated in conjunction with the following:

  • Legislative restraints or requirements
  • Regulatory restraints or requirements
  • Organisational restraints or requirements
  • Operational restraints or requirements
  • Cost vs risk reduction
  • Cost of implementation and monitoring vs cost of loss from an incident
Share this page:

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here.