This article may be
confusing or unclear to readers. (January 2012) |
Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. [1] In the field of information security, such controls protect the confidentiality, integrity and availability of information.
Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency.
Security controls can be classified by various criteria. For example, controls are occasionally classified by when they act relative to a security breach:
Security controls can also be classified according to their characteristics, for example:
For more information on security controls in computing, see Defense in depth (computing) and Information security
Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Some of the most well known standards are outlined below.
ISO/IEC 27001:2022 was released in October 2022. All organizations certified to ISO 27001:2013 are obliged to transition to the new version of the Standard within 3 years (by October 2025).
The 2022 version of the Standard specifies 93 controls in 4 groups:
It groups these controls into operational capabilities as follows:
The previous version of the Standard, ISO/IEC 27001, specified 114 controls in 14 groups:
The Federal Information Processing Standards (FIPS) apply to all US government agencies. However, certain national security systems, under the purview of the Committee on National Security Systems, are managed outside these standards.
Federal information Processing Standard 200 (FIPS 200), "Minimum Security Requirements for Federal Information and Information Systems," specifies the minimum security controls for federal information systems and the processes by which risk-based selection of security controls occurs. The catalog of minimum security controls is found in NIST Special Publication SP 800-53.
FIPS 200 identifies 17 broad control families:
National Institute of Standards and Technology
A maturity based framework divided into five functional areas and approximately 100 individual controls in its "core."
A database of nearly one thousand technical controls grouped into families and cross references.
A proprietary control set published by ISACA. [2]
Formerly known as the SANS Critical Security Controls now officially called the CIS Critical Security Controls (COS Controls). [3] The CIS Controls are divided into 18 controls.
The Controls are divided further into Implementation Groups (IGs) which are a recommended guidance to prioritize implementation of the CIS controls. [4]
In telecommunications, security controls are defined as security services as part of the OSI Reference model
These are technically aligned. [5] [6] This model is widely recognized. [7] [8]
The intersection of security risk and laws that set standards of care is where data liability are defined. A handful of databases are emerging to help risk managers research laws that define liability at the country, province/state, and local levels. In these control sets, compliance with relevant laws are the actual risk mitigators.
There are a wide range of frameworks and standards looking at internal business, and inter-business controls, including:
This article may be
confusing or unclear to readers. (January 2012) |
Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. [1] In the field of information security, such controls protect the confidentiality, integrity and availability of information.
Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency.
Security controls can be classified by various criteria. For example, controls are occasionally classified by when they act relative to a security breach:
Security controls can also be classified according to their characteristics, for example:
For more information on security controls in computing, see Defense in depth (computing) and Information security
Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Some of the most well known standards are outlined below.
ISO/IEC 27001:2022 was released in October 2022. All organizations certified to ISO 27001:2013 are obliged to transition to the new version of the Standard within 3 years (by October 2025).
The 2022 version of the Standard specifies 93 controls in 4 groups:
It groups these controls into operational capabilities as follows:
The previous version of the Standard, ISO/IEC 27001, specified 114 controls in 14 groups:
The Federal Information Processing Standards (FIPS) apply to all US government agencies. However, certain national security systems, under the purview of the Committee on National Security Systems, are managed outside these standards.
Federal information Processing Standard 200 (FIPS 200), "Minimum Security Requirements for Federal Information and Information Systems," specifies the minimum security controls for federal information systems and the processes by which risk-based selection of security controls occurs. The catalog of minimum security controls is found in NIST Special Publication SP 800-53.
FIPS 200 identifies 17 broad control families:
National Institute of Standards and Technology
A maturity based framework divided into five functional areas and approximately 100 individual controls in its "core."
A database of nearly one thousand technical controls grouped into families and cross references.
A proprietary control set published by ISACA. [2]
Formerly known as the SANS Critical Security Controls now officially called the CIS Critical Security Controls (COS Controls). [3] The CIS Controls are divided into 18 controls.
The Controls are divided further into Implementation Groups (IGs) which are a recommended guidance to prioritize implementation of the CIS controls. [4]
In telecommunications, security controls are defined as security services as part of the OSI Reference model
These are technically aligned. [5] [6] This model is widely recognized. [7] [8]
The intersection of security risk and laws that set standards of care is where data liability are defined. A handful of databases are emerging to help risk managers research laws that define liability at the country, province/state, and local levels. In these control sets, compliance with relevant laws are the actual risk mitigators.
There are a wide range of frameworks and standards looking at internal business, and inter-business controls, including: