Security controls are a countermeasure or safeguard that reduces risks for your business. You can have a physical security control like a lock on your door or a technical one like a computer firewall. Or, it could be an administrative measure like company policy. For a few reasons, it is important that business owners understand all the options available to them for security controls. First, there are many regulations such as HIPAA and GDPR that require companies to have security controls in place for all information systems within their company. Executives who fail to comply with these regulations can face heavy penalties, reputation damage and even jail time. It is an essential part of your overall security strategy. It is important to understand the various security controls available and how they work for you in order to make sure you are protected in every area.
Control Categories
This includes any tangible/physical devices used to prevent or detect unauthorized entry to company assets. This includes fences, surveillance cameras and guard dogs.
Technical controls: This includes both hardware and software that protect assets against non-tangible threats. This includes encryption, firewalls and antivirus software, as well as intrusion detection systems (IDS).
Administrative controls: These are the policies, procedures, and guidelines that guide companies in achieving security goals. This includes employee termination and hiring procedures, equipment and Internet usage, physical access and separation of duties.
Types Of Controls
Preventative Controls
Preventative security controls are what you use in order to stop malicious actions from occurring. This is the type of security control that you will want most. It works well and provides the best overall protection. This includes:
Computer Firewalls(Technical): A firewall is a hardware or software device that filters computer traffic and prevents unauthorized access to your computer systems.
Antivirus(Technical): This is a software program that prevents, detects and removes malware from computer systems.
Security Guards (Physical). Security guards are usually assigned to an area. They are responsible for making sure that no one enters a restricted area without a permit.
Physical Locks: This refers to any lock that is placed on a door and prevents anyone from entering the room without having the key.
Hiring and Termination Policies(administrative): During the hiring process, things like background checks help to prevent people that have a history of bad behaviour (eg sexual violence) from coming into the company. Managers can terminate employees who are causing trouble for the company by using termination policies.
Separation of Duties(administrative): Separation of Duties means requiring more than one person to complete any task. This prevents fraudsters from getting away with it because each process involves multiple people. Any attempt to commit fraud to anyone else would be noticed by the others involved in the process.
Detective Controls
These controls can be used to detect any malicious activity in your environment that has escaped the pre-established preventative measures. You can’t stop all attacks on your company, but you can find the ones that have failed so you can fix them. Some examples include:
Intrusions detection systems (Technical). Intrusion detection system monitors a company’s network and sends you alerts when abnormal activity is detected.
Audit Trails and Logs (Technical): Logs are records of activity on a computer network or computer system. By reviewing these logs, you can determine if there was malicious activity.
Video Surveillance(Physical): This means having cameras setup in important areas of the company and having people monitor those feeds to see if anyone that isn’t supposed to be there was able to get access.
Enforcing Staff Vacations(Administrative): Enforced vacations help to detect fraud by forcing individuals to leave their work and have someone else pick up that process. The new person who is taking over the task will notice if someone has been involved in fraudulent activity.
Review Access Rights(Administrative): By reviewing an individual’s access rights, you can see who has access to resources that they shouldn’t and you can review who has been accessing those resources.
Deterrent controls
They are designed to discourage employees from engaging in activities that could be detrimental to your company. You have less real threats to deal with. This is usually done by making it more difficult to do the action or making the consequences of getting caught well-known. Some examples include:
Guard Dogs (Physical): Having guard dogs is intimidating for potential trespassers, and can help to deter them.
Warning signs (Physical). Advertising that your property is monitored and protected by security alarms can discourage people from breaking in.
Pop-up messages (Technical): Displaying messages on computers and corporate homepages to warn people about certain behaviors. (eg. No porn on company laptops
Firewalls(Technical): You may have experienced when you try to browse certain sites on a corporate laptop you get blocked and a warning message that certain sites are not permitted on the laptop. These messages are meant to discourage people from browsing certain sites on laptops at work.
Advertise Monitoring(Administrative): Many companies make it known that admin account activities are logged and reviewed, this helps to deter people from using those accounts to do bad things.
Employee onboarding(Administrative): During onboarding you can highlight the penalties for misconduct in the workplace and this helps to deter employees from engaging in bad behavior.
Recovery Controls
These controls are designed to restore your system to normal after a security incident. Some examples include:
Reissue access cards (Physical): If an access card is lost or stolen, it must be deactivated and a replacement card issued.
Repair Physical Damage (Physical). You need to know how to quickly get a door, fence, or lock repaired.
Data Backups (Technical): It is important to regularly back up your data and have a method for quickly recovering from the last good backup in case of an emergency.
Technical Patching: If a new vulnerability is discovered that could put your company at risk, you need to be able to quickly get a patch out and return to a “secure” state.
Disaster Recovery Plan(Administrative): This is a plan that outlines how to get back to a normal state of operations following a natural or human made disaster.
Incident Response Plan(Administrative): An incident response plan outlines the steps you can take to go back to normal business operations following a cybersecurity breach.
Recap
You need to ensure that you comply with information security regulations. You want to discourage people from stealing your company’s information. You also want controls to stop people getting your company’s information. Finally, you must be able to detect when someone has successfully breached the organization.
