Security Controls

Reactive Security

• Firewalls

• Antivirus

Proactive Security

• Asset Inventory – What do we want to protect?

• Risk Management – Evaluate all potential risks and likelihood

• Security Controls – Hardware and software solutions we can implement to improve security posture.

  • NIST Categories – Publication 800-53

    • Technical or logical – a system: firewall, access control system, IPS, WAF

    • Operational or Administrative – Fixed with people. Security guards. Training

    • Management controls – High level overview. Policies and procedures. Documents.

  • Preventative controls reduce risks

  • Detective controls notify on risks

  • Corrective controls – late fix. Backup and restore. Patching

  • Physical controls – locks, doors, fences. Prevents.

  • Deterrent – Discourages. Warning signs. Security guards. Cameras.

  • Compensating – Substitute. Thoroughly documented and approved.

  • Evaluating Security Control

    • Quality control. Done at factory.

    • Verification – Compliance testing process. Does it meet requirements?

    • Validation – Does it do what we want it to do?

    • Assessments – Subject a product to a checklist of requirements

    • Evaluations – Subjective. Is it properly doing it’s job?

  • Security Audits – More formal evaluations.

  • Continuous monitoring. Continuous risk assessment.