Information security standards exist to bring structure to the design of IT security controls and discipline to how those organizations are managed. Specifically, the National Institute of Standards and Technology (NIST) develops frameworks to establish a common set of standards, objectives, and language for alignment across industries.

For example, NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, defines baselines known as security control families, including access control, incident response, business continuity, and disaster recovery for information security.

Regulations and standards such as NIST SP 800-53 provide businesses a starting point to determine risk and to plan protective measures that safeguard your system security from cyberattacks.

What Is a ‘Control’ in Cybersecurity?

Controls are fundamental to your cybersecurity program. Security controls are safeguards implemented to protect various forms of data and infrastructure within the organization. Any protection or countermeasure used to prevent, detect, counter, or limit security hazards to physical property, information, and computer systems, is considered a security control.

Businesses become more vulnerable as they rely more on cloud computing technology and connect their sensitive data to third-party networks. Safeguards must be applied to protect computer systems and networks. That is, they need controls.

Controls are evolving to keep pace with the changing cyber environment. An in-depth defense strategy employs multiple layers of security controls for redundancy in the information security program. This way, if one layer of security fails, another layer of protection remains.

What Are the Four Main Types of Security Controls?

Security controls can be classified into four main types:

  1. Physical Access Controls

    Physical access is controlled by literally restricting and monitoring entry into data centers, offices, and so forth; with measures such as security guards at building entrances, locks, closed-circuit security cameras, perimeter fencing, access control cards, and intrusion detection sensors.

  2. Procedural Controls

    Administrative controls such as security awareness education, security framework compliance training, management oversight, incident response plans, and procedures — they all improve network security with documented processes.

  3. Technical Controls

    Multi-factor user authentication, anti-virus software, and limiting internal access to computer systems on a need-to-know basis are all ways to use technology to control security.

  4. Compliance Controls

    Depending on your industry, you may choose (or be required) to comply with regulatory frameworks. You may need to abide by privacy laws or certifications to particular standards aimed at reducing security threats. These usually include an assessment of information security risks, the imposition of information security rules, and periodic audits.

    For example, suppose your company must comply with the NIST cybersecurity framework but fails to meet all the requirements. You may face monetary penalties until those compliance controls are in place.

What Are Security Control Families?

Security control families are collections of security controls all related to the same broad subject: physical access controls, awareness and training, incident response, and so forth. The precise number of controls within each family can vary, but each one will relate back to the control family’s basic focus.

NIST SP 800-53 provides a list of controls that support the development of secure and resilient federal information systems. It also assures that organizations comply with the Federal Information Security Modernization Act (FISMA) and the Federal Information Processing Standard Publication 200 (FIPS 200) standard.

These controls are the operational, technical, and management standards and guidelines to be used by information systems to maintain integrity, confidentiality, and availability of networks and data.

The guidelines take a multi-tiered approach to risk management through compliance controls. Controls are divided into security control families that allow businesses to select only the controls most applicable to their needs.

How Many Control Families Are in NIST SP 800-53?

NIST SP 800-53 provides 18 security control families that address baselines for controls and safeguards for federal information systems and organizations.

  • AC – Access Control: Security requirements for access control include account management, remote access logging, and system privileges to determine users’ ability to access data and reporting features.
  • AU – Audit and Accountability: Security controls related to an organization’s audit capabilities make up the AU control family. Audit rules and processes, audit recording, audit report creation, and audit information protection are all part of this.
  • AT – Awareness and Training: The AT control family’s control sets document your security training materials, procedures, and records.
  • CM – Configuration Management: CM controls relate to an organization’s configuration management policy and serve as the foundation for future information system builds or changes. It also includes inventories of information system components and a security impact analysis control.
  • CP – Contingency Planning: The CP control family includes controls particular to an organization’s cybersecurity contingency plan. Contingency plan testing, updating, training, backups, and system reconstitution are included.
  • IA – Identification and Authentication: IA controls are particular to an organization’s identification and authentication procedures to assure proper access for organizational and non-organizational.
  • IR – Incident Response: Controls for incident response are customized to an organization’s rules and processes. This area may include incident response training, testing, monitoring, reporting, and a response strategy.
  • MA – Maintenance: Revision five of NIST 800-53 outlines standards for maintaining systems and tools.
  • MP – Media Protection: Access, marking, storage, transit policies, sanitization, and defined organizational media use are all covered by the media protection control family.
  • PS – Personnel Security: Standards around personnel screening, termination, transfers, sanctions, and access agreements are all examples of PS controls to protect employees.
  • PE – Physical and Environmental Protection: Physical and environmental protection is a control family used to safeguard systems, buildings, and supporting infrastructure from physical dangers. Physical access authorizations, monitoring, visitor records, emergency shutoff, electricity, lighting, fire protection, and water damage prevention are all examples of these controls.
  • PL – Planning: Security planning policies address the goal, scope, roles, duties, management commitment, and coordination among entities for organizational compliance.
  • PM – Program Management: The PM control family applies to your cybersecurity program. It includes a critical infrastructure plan, information security program plan, a plan of action milestones and processes, a risk management strategy, and enterprise architecture.
  • RA – Risk Assessment: The RA control family covers an organization’s risk assessment policies and vulnerability scanning capabilities.
  • CA – Security Assessment and Authorization: The CA control family is specific to the execution of security assessment and authorization, including continuous monitoring, action plan and milestones, and system interconnections.
  • SC – System and Communications Protection: System and communications protection protocols include boundary protection, information at rest protection, collaborative computing devices, cryptographic protection, and denial of service protection.
  • SI – System and Information Integrity: The SI control family includes flaw remediation, malicious code protection, information system monitoring, security warnings, software and firmware integrity, and spam prevention.
  • SA – System and Services Acquisition: Controls that protect allocated resources and an organization’s system development life cycle are associated with the SA control family. It includes procedures for information system documentation, development configuration management, and developer security testing and evaluation.

How to Implement Control Families in the Risk Management Framework

The NIST Risk Management Framework (RMF) is a system development lifecycle framework that includes security, privacy, and cyber supply chain risk management operations. It is a seven-step process that allows organizations to choose which control families would best protect their organization based on risk assessment.

Organizational risk management is critical to information security and privacy programs. The RMF approach may be used with new and legacy systems, any system or technology (industrial control systems or the Internet of Things, for example), and any size or industry of business.

How Can ZenGRC Help With Cybersecurity?

ZenGRC’s governance, risk management, and compliance software is an intuitive, easy-to-understand platform that stores documents, tracks your workflows, and provides the visibility you need to manage risk.

ZenGRC does everything you and your staff do for NIST compliance, but more efficiently. Instead of using spreadsheets to manage your compliance requirements, ZenGRC streamlines evidence and audit management for all of your compliance frameworks.

Worry-free compliance management is the Zen way! To learn more about ZenGRC, contact us for a demo.