Cybersecurity controls are mechanisms (which includes processes rather than something tangible) that are used to prevent, detect, and mitigate cyber threats and attacks. Best practices suggest that these controls are implemented in a layered approach that provides redundant and diverse protections for the organization. The right set of controls implemented properly will help an organization meet its regulatory, compliance, and risk management obligations. Next, we look at the 4 general categories of cybersecurity controls.
Technical Controls:
Technical controls, as defined by NIST, are security mechanisms primarily implemented and executed by an information system through measures that involve the use of hardware, software, and systems to protect an organization’s assets. Leveraging software for this purpose includes configuring security features and device configurations to secure organizational assets. Hardware can also be designed to provide some controls such as device level encryption of a hard drive. Hardware and Software controls can be combined to form more complex controls to protect an organization as well.
Here are some examples of Technical controls: Access control, encryption, firewalls, intrusion detection and prevention systems (IDPS), antivirus software, security patches, biometric authentication, secure coding practices in software development.
Managerial Controls:
Managerial controls, as defined by NIST, for an information system focus on the management of risk and the management of information systems security. Managerial controls can include policies, procedures, and strategies put in place to manage the systems and the risks that they are exposed to. These controls involve planning, governance, and decision-making at the managerial or executive level.
Examples of Managerial controls include security policies and procedures, risk management, security awareness and training programs, incident response planning, security audits and assessments, compliance management, business continuity and disaster recovery planning.
Operational Controls:
Operational security controls, as defined by NIST, are those that are primarily implemented and executed by people (as opposed to systems). Operational controls are day-to-day procedures and processes that help maintain the security of the system or application and ultimately the organization. These controls require the proper execution and enforcement of security policies and procedures carried out by professionals.
Some examples of Operational controls include user access management, system and network monitoring, security incident handling, data backup and recovery, change management, vulnerability management, security testing, log management, and security awareness training.
Physical Controls:
Physical controls, as defined by NIST, are measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment. The focus is on controlling and monitoring access to these components. As part of a layered defense these are typically the first controls an attacker will encounter when they are physically present at the organization’s location.
Examples of Physical controls include perimeter security (fences, gates, guards), access control systems (biometric scanners, key cards), video surveillance, environmental controls (temperature, humidity), secure storage facilities, disaster recovery sites, and asset tracking.
Governance Perspective
Leaders in an organization should focus on strategic planning and policy development when it comes to controls. Identifying the need for new controls or altering existing controls can be dictated at a high level by management but specific implementations, tool selection, and testing should be carried out by those who are responsible for the controls from an operational perspective. Of course, leaders will be responsible for reviewing recommendations offered by security professionals and budgetary or financial decisions must be made by leadership before a final decision is made.
Operational Perspective
Professionals who work on the front line have a different perspective about the Operation Controls necessary to protect an organization. They tend to focus on how easy controls are to operate, maintain, and how they enhance their ability to carry out daily tasks. Managers should seek out the unique perspective of their direct reports before making decisions about which controls to implement and specific procedures that should be defined. Ultimately the organization will rely on these individuals to implement, maintain, and track the effectiveness of these controls and without their input and support the intended outcome may fall short.
Summary
When we take controls from these categories and implement them in a layered defense the result can be a robust, redundant, and diverse set of controls that can enhance the security of the organization. Technical controls approach solving the security threat or risk leveraging technology and systems, managerial controls provide strategy and defined policies meant to address the security concerns, operational controls require that personnel implement and enforce security measures, and physical controls protect the physical assets and environments where our systems and information reside.