Controls in a Security Solution

Controls in a Security Solution

As just mentioned, the work of actually securing data is the responsibility of the custodian.

However, if security is applied only through technical means, the results will not be highly effective. Specifically, because most attacks originating inside a network are not technical attacks, nontechnical mitigation strategies are required to thwart them. Cisco defines three security controls contained in a more all-encompassing security solution:

¦ Administrative controls are primarily policy-centric. Examples include the following:

— Routine security awareness training programs

— Clearly defined security policies

— A change management system, which notifies appropriate parties of

system changes

— Logging configuration changes

— Properly screening potential employees (for example, performing

criminal background checks)

¦ Physical controls help protect the data’s environment and prevent potential attackers

from readily having physical access to the data. Examples of physical controls are

— Security systems to monitor for intruders

— Physical security barriers (for example, locked doors)

— Climate protection systems, to maintain proper temperature and

humidity, in addition to alerting personnel in the event of fire

— Security personnel to guard the data

¦ Technical controls use a variety of hardware and software technologies to protect

data. Examples of technical controls include the following:

— Security appliances (for example, firewalls, IPSs, and VPN termination

devices)

— Authorization applications (for example, RADIUS or TACACS+

servers, one-time passwords (OTP), and biometric security scanners)

Individual administrative, physical, and technical controls can be further classified as one

of the following control types:

¦ Preventive: A preventive control attempts to prevent access to data or a system.

¦ Deterrent: A deterrent control attempts to prevent a security incident by influencing

the potential attacker not to launch an attack.

¦ Detective: A detective control can detect when access to data or a system occurs.

Interestingly, each category of control (administrative, physical, and technical) contains

components for these types of controls (preventive, deterrent, and detective). For example,

a specific detective control could be one of the following:

¦ An administrative control, such as a log book entry that is required by a security policy

¦ A physical control, such as an alarm that sounds when a particular door is opened

¦ A technical control, such as an IPS appliance generating an alert