Information security controls are measures taken to reduce information security risks such as information systems breaches, data theft, and unauthorized changes to digital information or systems. These security controls are intended to help protect the availability, confidentiality, and integrity of data and networks, and are typically implemented after an information security risk assessment.
Types of information security controls include security policies, procedures, plans, devices and software intended to strengthen cybersecurity. There are three categories of information security controls:
- Preventive security controls, designed to prevent cyber security incidents
- Detective security controls, aimed at detecting a cyber security breach attempt (“event”) or successful breach (“incident”) while it is in progress, and alerting cyber security personnel
- Corrective security controls, used after a cyber security incident to help minimize data loss and damage to the system or network, and restore critical business systems and processes as quickly as possible (“resilience”)
Security controls come in the form of:
- Access controls including restrictions on physical access such as security guards at building entrances, locks, and perimeter fences
- Procedural controls such as security awareness education, security framework compliance training, and incident response plans and procedures
- Technical controls such as multi-factor user authentication at login (login) and logical access controls, antivirus software, firewalls
- Compliance controls such as privacy laws and cyber security frameworks and standards.
The most widely used information security frameworks and standards include:
- The National Institute of Standards and Technology (NIST) Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. This document lists security requirements useful not only for federal agencies but for all organizations’ information security risk management programs.
- The International Organization for Standardization (ISO) standard ISO 27001, Information Security Management, which provides guidance on information technology security and computer security.
- The Payment Card Industry Data Security Standard (PCI DSS), which establishes security requirements and security controls for the protection of sensitive data associated with personal credit card and payment card information
- The Health Insurance Portability and Accountability Act (HIPAA), a federal law regulating information security and privacy protections for personal health information
Frameworks and standards are systems that, when followed, help an entity to consistently manage information security controls for all their systems, networks, and devices, including configuration management, physical security, personnel security, network security, and information security systems. They define what constitutes good cybersecurity practices and provide a structure that entities can use for managing their information security controls.