-
control, safeguard, or countermeasure
helps to reduce risks - a means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of administrative, technical, managment, or legal nature
-
management controls
operational controls
technical controls
the classifications of security controls
-
management controls
security controls that are very broad, and focus on security policies, planning, guidelines, and standards that influence the selection of operational and technical controls to reduce the risk of loss and to protect the organization's mission
-
operational controls
security controls that address the correct implementation and use of security policies and standards - primarily implemented by people rather than systems - improve the security of a system or group of systems
-
technical controls
security controls that involve the correct use of hardware and software security capabilities in systems - range from simple to complex measures that work together to secure critical and sensitive data, info, and IT systems functions
-
supportive controls
pervasive, generic, underlying technical IT security capabilities that are interrelated with, and used by, many other controls
-
preventative controls
focus on preventing security breaches from occuring, by inhibiting attempts to violate security policies or exploit a vulnerability
-
detection and recovery controls
focus on the response to a security breach, by warning of violations or attempted violations of security policies or the identified exploit of a vulnerability and by providing means to restore the resulting lost computing resources
-
IT security plan
documents what needs to be done for each selected control, along with the personnel responsible, and the resources and time frame to be used
-
-risks - asset/threat/vulnerability combinations
-recommended controls - from the risk -assessment
-action priority for each risk
-selected controls - on the basis of the cost-benefit analysis
-required resources for implementing the selected controls
-responsible personnel
-target start and end dates for implementation
-maintenance requriements and other comments
IT security plan should include:
-
- maintenance of security controls
- security compliance checking
- change and configuration managament
- incident handling
the follow-up stage of the management process includes:
-
- controls are periodically reviewed
- controls are upgraded whtn new requirements are discovered
- changes to systems do not adversely affect the controls
- new threats or vulnerabilities have not become known
maintenance tasks include ensuring that:
-
security compliance
an audit process to review the organization's security processes - to verify compliance with the security plan
-
change management
the process used to review proposed changes to systems for implications on the organization's systems and use
-
configuration management
is concerned with specifically keeping track of the configuration of each system in use and the changes made to each - includes lists of the hardware and software versions installed on each system
|
|