Information Security Controls

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Now in the last section we said the bedrock of
00:00
our information security program
00:00
was going to be our policies,
00:00
procedures, standards, and guidelines.
00:00
That's absolutely true.
00:00
But those are really part of
00:00
a larger category of
00:00
risk mitigation strategies called controls.
00:00
When we talk about our information security controls,
00:00
their whole purpose is to reduce the risk associated,
00:00
in our instance with information security breaches.
00:00
We'll talk about the different types
00:00
of information security controls,
00:00
which are basically administrative,
00:00
physical, and technical,
00:00
and then we'll talk about the function of
00:00
information security controls and whether
00:00
these controls are proactive or reactive.
00:00
Now, I love this chart because I think this makes it
00:00
easy to understand how this comes together.
00:00
We have physical, administrative,
00:00
and technical controls over on the left column.
00:00
Basically your physical controls,
00:00
you're generally looking at controlling access
00:00
to a room or protecting your facility,
00:00
but these elements like security guards,
00:00
fences, CCTV, those are physical elements.
00:00
Now, with our technical controls,
00:00
those things we use to protect data
00:00
specifically, like our firewalls,
00:00
encryption, honeypots and IDS,
00:00
patching systems, keeping them updated,
00:00
those are our technical controls.
00:00
Then we have administrative controls which are
00:00
essentially policies, procedures, standards,
00:00
guidelines, audit policies in place,
00:00
those things that we attribute
00:00
to coming down from senior leadership.
00:00
Those are the types of controls.
00:00
Then when we look at the function,
00:00
we generally have controls that
00:00
are proactive or reactive.
00:00
Now for proactive controls,
00:00
ideally, we'd like to prevent an attack.
00:00
That would be the most desirable case.
00:00
Always easier to prevent than it is to correct,
00:00
so our preventive controls.
00:00
Now, along with preventive controls,
00:00
I would also mention that
00:00
deterrent controls are also a proactive control.
00:00
We just have prevented listed here,
00:00
but deterrent controls discourage an attacker.
00:00
A sign that says beware of dog,
00:00
that's going to be a deterrent control.
00:00
It's a psychological control.
00:00
You can keep right on moving,
00:00
but I've planted the idea in
00:00
your mind that there are going to be repercussions.
00:00
A preventive control will
00:00
physically stop you at least temporarily.
00:00
You can't just go through a fence.
00:00
Now you can cut a fence,
00:00
you could scale a fence,
00:00
but it will at least provide
00:00
a hard stop at least for a period.
00:00
Preventive and deterrent go hand in hand,
00:00
and they're both proactive.
00:00
Now, if your preventative and
00:00
deterrent controls don't work,
00:00
you need a means of detecting the control didn't work.
00:00
Burglar alarms, for instance,
00:00
intrusion detection systems,
00:00
alerts that you might set up based on performance,
00:00
those will detect that
00:00
a breach is about to happen or is happening.
00:00
Then we've got to respond and correct that loss.
00:00
Now I'll tell you also with corrective,
00:00
you could think about recovery controls,
00:00
corrective controls, those work.
00:00
Repair, restore from backup,
00:00
fix a broken window,
00:00
whatever that may be,
00:00
quarantine some malware,
00:00
those are going to be your corrective.
00:00
Now one type of control,
00:00
one function for control that's not listed,
00:00
is going to be a compensating control.
00:00
I think it's worth mentioning here,
00:00
is a compensating control could come up.
00:00
A compensating control is when
00:00
plan A doesn't work for you.
00:00
For instance, I want a security guard,
00:00
but they're too expensive so instead,
00:00
I have a security dog.
00:00
I wanted a security dog,
00:00
but that's too expensive,
00:00
so I got a Boston Terrier instead.
00:00
If you're not familiar with Boston Terriers,
00:00
they are not made for securing your organization.
00:00
They are made for lap dogs.
00:00
But the idea is,
00:00
that if plan A doesn't work,
00:00
we have to compensate somehow.
00:00
We have to go to plan B, and that's compensating.
00:00
We could also consider compensating controls there when
00:00
plan A doesn't provide a full and complete solution.
00:00
Separation of duties might in
00:00
administrative control to prevent fraud.
00:00
That's not a 100 percent effective.
00:00
In addition, a compensating control to
00:00
pick up where separation of duties leaves off,
00:00
would be maybe strong authentication
00:00
or any of the other ways
00:00
that we're going to prevent fraud.
00:00
Preventative, detective, corrective,
00:00
those are the functions and think of proactive,
00:00
detective proactive doesn't work,
00:00
then respond or reactive.
00:00
Then don't forget we need physical,
00:00
technical, and administrative controls.
00:00
The idea when we talk about a layered defense,
00:00
it shouldn't just be
00:00
physical control after physical control.
00:00
Lighting, a fence,
00:00
a security guard,
00:00
all of those elements may be protective,
00:00
but they're providing one-dimensional defense.
00:00
We also need technical controls,
00:00
we also need administrative controls.
00:00
The real secret here is
00:00
defense in depth like we've talked about before.
00:00
Now as we implement these controls,
00:00
as I'd mentioned earlier,
00:00
you don't just implement security for
00:00
the sake of implementing security.
00:00
Your control implementation should
00:00
be tied to expected end results.
00:00
Those end results are our objectives.
00:00
The objectives should help us
00:00
accomplish our long-term goals.
00:00
Objectives help us reach controls.
00:00
The idea is before we would ever implement a control,
00:00
we want to document the objectives for the control.
00:00
I don't know if a control is meeting
00:00
its objectives if I don't know what its objectives are.
00:00
If I can't tell you that a
00:00
control's meeting its objectives,
00:00
I can't tell you if it's successful or not.
00:00
With every control, we should have a set of
00:00
well-defined objectives for that control
00:00
that we can use to monitor against,
00:00
and say yes, this $60,000 firewall was worth the money,
00:00
and here's how we can prove that based on business needs.
00:00
We ought to be able to say, before the firewall,
00:00
we were losing 5,000 man-hours with an average salary
00:00
of $50,000 or with an average cost of $50,000.
00:00
Now that we've implemented this firewall,
00:00
we're only losing 20 man-hours
00:00
based on security incidents
00:00
at this cost. You see what I do?
00:00
I'm tying that into business objectives.
00:00
When we state our objectives,
00:00
that's one big thing that you'll always see on the exam,
00:00
is making sure what we do in security
00:00
is aligned with the objectives of the business.
00:00
That comes through in our control objectives.
00:00
Many of you've probably heard
00:00
the idea of SMART objectives.
00:00
Specific, measurable, attainable,
00:00
relevant, and timely, or time-based.
00:00
A security objective should not be something like,
00:00
this firewall should improve security.
00:00
What does that even mean?
00:00
How am I going to know if it's improved security?
00:00
Specific, we expect
00:00
a 25 percent reduction in man-hours loss.
00:00
That specific, that's measurable.
00:00
I can't say something like we
00:00
expect no more security incidents.
00:00
That's not attainable.
00:00
We need to make sure we don't have
00:00
these pie in the sky objectives.
00:00
Relevant, again,
00:00
means they need to be tied in
00:00
to business goals that are relevant to the organization.
00:00
Not relevant to IT,
00:00
but relevant to the organization.
00:00
Can always be traced back to a business objective.
00:00
Then time-based.
00:00
None of these nebulous objectives of this should happen.
00:00
But when should it happen?
00:00
How should it be obvious or how should we
00:00
be able to tell that we've met our requirements?
00:00
This should all happen by the end of first quarter,
00:00
by June 5th.
00:00
Tying each one of these SMART elements together,
00:00
then we have a well-articulated objective
00:00
that we can use to determine
00:00
if our controls are being successful.
00:00
In this last section,
00:00
we talked about the relevance of our security controls,
00:00
and we basically said,
00:00
these are the ways that we mitigate risk.
00:00
We reduce the risks associated with information security.
00:00
We looked at the types,
00:00
which were administrative, technical, and physical,
00:00
and then the functions being proactive versus
00:00
reactive of the security controls themselves.
00:00
Ultimately, as we get into the more technical chapters,
00:00
we're going to start getting more in-depth in
00:00
those technical controls and even
00:00
discussing some physical controls as well.
00:00
The administrative controls we
00:00
covered in the last section,
00:00
which were policies, procedures,
00:00
standards, and guidelines.
Up Next