Security controls
Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks. To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident: (Some security professionals would add further categories such as deterrent controls and compensation. Organizations may also opt to demonstrate the adequacy of their information security controls by being independently assessed against certification standards such as ISO/IEC 27001. Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls.This is simply a matter of semantics.) Security controls can also be categorized according to their nature, for example: A similar categorization distinguishes control involving people, technology and operations/processes. Information security controls protect the confidentiality, integrity and/or availability of information (the so-called CIA Triad). Others argue that these are subsidiary categories.
Again, some would add further categories such as non-repudiation and accountability, depending on how narrowly or broadly the CIA Triad is defined. Risk-aware organizations may choose proactively to specify, design, implement, operate and maintain their security controls, usually by assessing the risks and implementing a comprehensive security management framework such as ISO/IEC 27002, the Information Security Forum s Standard of Good Practice for Information Security and NIST SP 800-53 (more below). Some of the most well known are outlined below. ISO/IEC 27001 From NIST Special Publication SP 800-53 revision 1. From DoD Instruction 8500.2 there are 8 Information Assurance (IA) areas and the controls are referred to as IA controls. DoD assigns the IA control per CIA Triad leg. .
