Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.
It could be a hardware (firewall) or software (Antivirus) or It could be policies we implement and inforce to control risks.
some orgnazation are able to implement policies but they don't inforce it, so you need to make sure that all the control's is in place and everybody is following policies and best practices.
Types of Security Control
Administrative - An administrative control is one that comes down through policies, procedures, and guidelines. An example of an administrative control is the escalation procedure to be used in the event of a break-in; who is notified first, who is called second, and so on. Another example of an administrative control is the list of steps to be followed when a key employee is terminated: disable their account, change the server password, and so forth.
Logical - These are the virtual, application and technical controls (systems and software), such as firewalls, anti virus software, encryption and maker/checker application routines.
Physical - Whereas a firewall provides a "logical" key to obtain access to a network, a "physical" key to a door can be used to gain access to an office space or storage room. Other examples of physical controls are video surveillance systems, gates and barricades, the use of guards or other personnel to govern access to an office, and remote backup facilities.
All three of these elements are critical to the creation of an effective control environment. However, these elements do not provide clear guidance on measuring the degree to which the controls mitigate the risk. Instead, the Simple Risk Model utilizes an alternative set of elements that provide a better means of weighting the level of mitigation:
Preventive - These are controls that prevent the loss or harm from occurring. For example, a control that enforces segregation of responsibilities (one person can submit a payment request, but a second person must authorize it), minimizes the chance an employee can issue fraudulent payments.
Detective - These controls monitor activity to identify instances where practices or procedures were not followed. For example, a business might reconcile the general ledger or review payment request audit logs to identify fraudulent payments.
Corrective - Corrective controls restore the system or process back to the state prior to a harmful event. For example, a business may implement a full restoration of a system from backup tapes after evidence is found that someone has improperly altered the payment data.
Of the three types of controls, preventative controls are clearly the best, since they minimize the possibility of loss by preventing the event from occurring. Corrective controls are next in line, since they minimize the impact of the loss by restoring the system to the point before the event. However, the restoration procedure may result in some degree of loss, since the restoration procedure may lead to the unavailability of systems and applications along with possible lost productivity, customer dissatisfaction, etc. The least effective form of control, but the one most frequently used, is detective controls - identifying events after they have happened. Depending on how soon the detective control is invoked after an event, a business may uncover a loss long after there is any opportunity to limit the amount of damages. In the Proof-of-Concept application, the Control is weighted by whether it is a preventative, detective or corrective control.
One other valuable distinction to be made with controls is whether they are manual or automated. A business can implement manual controls to minimize the chance of fraudulent payments, such as requiring an administrator and a manager to manually sign the applicable paperwork to indicate that the transaction was authorized and approved. As an alternative, the business could automate these controls by introducing a computer program with logical access, segregation of duties and maker/checker controls.
Deterrent - A deterrent control is anything intended to warn a would-be attacker that they should not attack. This could be a posted warning notice that they will be prosecuted to the fullest extent of the law, locks on doors, barricades, lighting, or anything can delay or discourage an attack.
Compensating - Compensating controls are backup controls that come into play only when other controls have failed. An office building may have a complex electronic lock on the door (preventive control) and a sign that you will be arrested if you enter (deterrent control), but it is a safe bet they will also have an alarm that sounds (a compensating control) when the door is jimmied as well as a backup generator (another compensating control) to keep that electronic lock active when the power goes out.
When you put controls in place it is possible that your controls are too loose or too tight and this gives room to what we call false positives and false negatives
False Positive : False Warning
Ex : Suppose your email program is filtering spam but accidentally it moves legitimate message to spam folder.
Ex2 : Authorised user accessing some facility that he is authorised but still our security controls raising an false alarm.
False negative : Appears negative when it should not.
Ex : If a particular test designed to detect vulnerability returns a negative result saying their is no vulnerability but in reality their is vulnerability
No comments:
Post a Comment