Danish Nafay hosts a Masterclass on best practices in Information Security. In this series, Danish will talk about various aspects of information security. In this episode, Danish talks about Security Protocols, what they are and how they impact workflow, security and policy decisions in any organization. Share your insights and feedback with us and stay tuned for additional episodes in the series!
In this episode of Simplifying Information Security, we are talking about security controls.
Security controls can be categorized in many ways. One of the ways is to categorize by the way of implementation. With this methodology, the security controls have three types.
- Administrative controls,
- Technical controls, and
- Physical controls.
Administrative controls are implemented through management policies and documents. Examples of such controls are:
- policy
- standard
- baselines
- guideline and
- procedure
You may have come across these terms before and today we will look at each of them in depth.
Policies are high level documents which are approved by top management. Policy is mandatory. For e.g. there is no choice for an employee to agree or disagree with “Acceptable Use Policy” of the organization.
Policies are also high level. They do not dive into the specifics of technology and versions. For example, you will not see the term “windows 10” in Policy, rather it will mention the high-level term “The Operations System”. This saves the management approval process due to operational update of versions.
The basic components of a Policy are:
- Purpose,
- Scope,
- Responsibilities, and
- Compliance.
Standard describes the specific use of technology. For e.g. All laptops and mobile devices will be encrypted using AES with key length of 256 bits.
As you notice in the above statement, Standards are mandatory and specific. Having standards helps creating homogenous environment with easier recovery procedures.
Baselines are uniform ways of implementing a standard.
Unlike the above, Guidelines are discretionary. They are recommendations which suggest how an employee is expected to act. They are derived from best practices. They are useful especially for novice users. For example a new user can be given a guideline for following the Organization Password policy.
Procedures are the most detailed and specific of all these documents. They are step-by-step to complete a specific task. Procedures are mandatory. If any of the steps are missing in procedure, the task may not be accomplished.
Other examples of management controls are training, awareness, reward mechanism and approval process.
Historically, some of the organizations have tried to merge these controls into one single policy, which can create a risk of documents becoming outdated and irrelevant.
Technical controls:
Technical controls are implemented by using software, hardware, or technical means. They are also called logical controls. The examples of technical controls are Intrusion Detection System, Intrusion Protection System, Firewalls, Routers, OS Hardening, encryption and many others. Security professionals spend majority of their time in implementing and maintaining technical controls.
Physical Controls:
Physical controls are implemented with tangible mechanism to protect information. Examples include Mantrap, Fences, Lighting, Locks, HVAC, guard dogs, human security guards and other similar controls. Usually these controls are implemented by physical security team.
Can you list down some of the controls around you? What best practices are you looking to implement. Let’s discuss.
