What are Information Security Controls?

The possibility of a data breach at your organization can be anxiety-inducing. According to the Ponemon Institute, the average cost of a data breach is $3.61 million, and it’s on the rise; the average data breach cost is up 10% over last year and remote work is a contributing factor: Ponemon found that breaches caused by remote work were $1.07 million more expensive than those that weren’t.

This may have your organization wondering if you’re protecting your data in every way you can. What security controls should your company have in place to protect your data, devices, and networks?

What are information security controls?

According to NIST (the National Institute of Standards and Technology), security controls are defined as “the safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.”

That means that any countermeasure used to keep a computer, device, network, or safe from a data breach or another attack is a countermeasure.

That may seem extremely broad, but information security controls are often categorized, both by type and by the goals of the countermeasure. What does that mean? Below is a listing of information security controls by type:

• Physical controls: Locks on doors that keep intruders from devices, the ability to remove a device from a network, and access control to physical equipment are all physical controls.
• Administrative controls: incident response processes, information security awareness, and training are administrative controls.
• Technical controls: Items that use technology to combat attacks, like authentication, antivirus software, and firewalls are technical controls.
• Legal and regulatory or compliance controls: Privacy legislation or information security frameworks are legal or regulatory controls.

When controls are classified by a goal, however, the list looks a little different:

• Preventive controls: Intended to prevent an incident from occurring, such as good cyber hygiene, network segmentation, and user authentication.
• Detective controls: Tools used during an incident to respond to a breach, such as anti-malware software, a ransomware response plan, or security ratings.
• Corrective controls: After the event, corrective controls limit the extent of any damage caused by the incident, such as cybersecurity insurance or new response plans.

What security controls does my organization need?

No one organization will implement every single information security control. Some may be redundant and some might not be relevant to your organization or your networks, but every organization needs some of the above.

There are several security standards and frameworks that provide a starting point for organizations when it comes to security best practices and controls.

• NIST, mentioned above, offers a free, voluntary cybersecurity framework consisting of standards, guidelines, and practices to promote the protection of an organization’s critical infrastructure. It lists more than 100 individual controls a company can use to mitigate risk.

• Another standard, the ISO/IEC 27001, is offered by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Thai international standard identifies 114 controls in 14 groups, ranging from policies to incident management.
• The SANS CIS Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop attacks.
• COBIT5 is a proprietary control set published by ISACA which is based on five principles of security.

These are just a few examples; many regulated industries and sectors are governed by their own frameworks and control sets.

How can SecurityScorecard help?

SecurityScorecard’s security ratings are technical and detective controls, meaning that they help you identify any problems with your organization’s security posture before you’re attacked… and that they’re technical and not physical, like a lock on a door.

SecurityScorecard continuously monitors your complete infrastructure, including your extended enterprise. Our platform can track both your internal and external adherence to established policies and practices — we let you capture, report, and remediate security risks in real-time, so you’re never in danger of falling out of compliance, no matter what framework or standards you adhere to.