Internal Controls

Information security control is becoming a major subject of corporate and information technology (IT) governance as it plays a crucial role in an organization’s operational efficiency. In addition, firms were required by both internal and external stakeholders to maintain an adequate and effective system of internal controls. There is much confusion in practice about what security controls actually are; what are information security controls? Information security controls are measures implemented to protect the confidentiality, integrity, and availability of information assets within an organization. These controls are essential for managing and mitigating the risks associated with potential security threats and vulnerabilities.

The security controls are often part of comprehensive frameworks and standards, such as ISO/IEC 27001, NIST Cybersecurity Framework, and CIS Controls, which guide establishing and maintaining effective information security programs; mitigate risks and protect their valuable information assets. Organizations tailor their controls based on their specific needs, risks, and regulatory requirements.

Describing some common types of information security controls, along with references to widely recognized frameworks or standards:

Access Controls:

Access controls restrict and manage access to information systems and resources, ensuring that only authorized individuals can access specific resources. This includes authentication mechanisms (e.g., passwords, biometrics), authorization policies (e.g., role-based access control), and user account management.

Reference: ISO/IEC 27001:2022 – A.5 (Organizational requirements of access control) and A.8 (Technological requirements of access control)

Encryption:

Encryption converts data into a secure and unreadable format known as ciphertext that can only be decrypted with the appropriate decryption key. Also, only authorized parties with the decryption key can access the original information. It is used to protect data both in transit and at rest, ensuring confidentiality.

Reference: NIST Special Publication 800-111 – Guide to Storage Encryption Technologies for End User Devices; NIST Special Publication 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations)

Firewalls:

Firewalls are network security devices that monitor and control incoming and outgoing network traffic based on predetermined security rules. They act as a barrier between trusted internal networks and untrusted external networks.

Reference: NIST Special Publication 800-41 Revision 1 – Guidelines on Firewalls and Firewall Policy; CIS (Center for Internet Security) Controls, Control 11: Secure Configuration for Network Devices.

Intrusion Detection and Prevention Systems (IDPS):

IDPS monitors network or system activities for signs of malicious activities or policy violations, alerting administrators and/or taking automated actions to prevent or mitigate security incidents. They can detect and respond to threats in real-time.

Reference: NIST Special Publication 800-94 Revision 2 – Guide to Intrusion Detection and Prevention Systems (IDPS); SANS (SysAdmin, Audit, Network, Security) Institute’s Critical Security Controls (CSC), CSC 8: Malware Defenses.

Security Auditing and Logging:

Auditing and logging capture and record activities, exceptions faults and other relevant events from various sources across an organization’s IT infrastructure. SIEM (Security Information and Event Management) tool can be used to perform this control. The tool provides real-time monitoring, threat detection, and incident response capabilities.

Reference: ISO/IEC 27001:2022; ISO/IEC 27002:2022 – Logging; NIST Special Publication 800-92 – Guide to Computer Security Log Management.

Patch Management:

Patch management involves regularly updating software applications and systems with the latest security patches to address known vulnerabilities and reduce the risk of exploitation by attackers.

Reference: ISO/IEC 27001:2022 – Information technology — Security techniques — Information security management systems — Requirements; NIST Special Publication 800-40 (Guide to Enterprise Patch Management Technologies); ITIL (Information Technology Infrastructure Library) framework, specifically the Service Operation phase.

Physical Security Controls:

Physical security controls safeguard physical access to information systems, data centers, and other critical infrastructure from unauthorized access, theft, or damage. These controls include measures like access control systems, surveillance cameras, and environmental controls.

Reference: ISO/IEC 27001:2022; ISO/IEC 27002:2022 – Physical Security Control; NIST Special Publication 800-53, ANSI/ASIS SPC.1-2009 – Organizational Resilience: Security, Preparedness, and Continuity Management Systems — Requirements with Guidance for Use.

Incident Response Plan:

An incident response plan involves processes and procedures for identifying, managing, and mitigating security incidents promptly and minimizing recovery time.

Reference: Reference: ISO/IEC 27001:2022; NIST Special Publication 800-61 (Computer Security Incident Handling Guide); ISO/IEC 27035:2016 Information Security Incident Management standard.

Security Awareness Training:

Security awareness training educates employees and users about information security risks, policies, best practices, and their roles and responsibilities in protecting information assets. It helps raise awareness and foster a security-conscious culture within the organization.

Reference: NIST Special Publication 800-50 – Building an Information Technology Security Awareness and Training Program, ISO/IEC 27001:2022; ISO/IEC 27002:2022 (Code of practice for information security controls)

Data Loss Prevention (DLP):

DLP solutions monitor, detect, and prevent unauthorized access, transmission, or use of sensitive data, helping organizations comply with regulatory requirements and prevent data breaches.

Reference: Payment Card Industry Data Security Standard (PCI DSS) Requirement 3: Protect Stored Cardholder Data.

These controls, along with many others, help to address risks and protect valuable assets from various sophisticated cyber-threats.

4 thoughts on “Concept of Information Security Controls

Leave a Reply

Your email address will not be published. Required fields are marked *