Security Controls
Controls are steps in processes — or components in information systems — that enforce compliance with business or security rules. Technology can enforce a control, or an individual may perform a manual step or procedure.
Preventive controls: Used to prevent errors and unauthorized actions.
Detective controls: Used to detect errors and unauthorized activities.
Corrective controls: Used to reverse or minimize the impact of errors and unauthorized events. These are also known as recovery controls.
Automatic controls: Those that automatically enforce a security policy.
Manual controls: Those that must be proactively performed in order to enforce a security policy.
All the controls discussed in the following sections fall into these categories. A control is preventive, detective, or corrective; also, the control is either automatic or manual.
Operations controls are the processes and procedures that protect business operations and information. The major operations controls are
Resource protection
Privileged entity controls
Change controls
Media controls
Administrative controls
Trusted recovery
The following sections delve into each operations control in more detail.
Resource protection
Resource protection is the broad category of controls that protect information assets and information infrastructure. The resources that require protection include
Communications hardware and software: Routers, switches, firewalls, load balancers, multiplexers, fax machines, Virtual Private Network (VPN) servers, and so on, as well as the software that these devices use
Computers and their storage systems: All corporate servers and client workstations, storage area networks (SANs), network-attached storage (NAS), direct-attached storage (DAS), near-line and offline storage systems, and backup devices
Business data: All stored information, such as financial data, sales and marketing information, personnel and payroll data, customer and supplier data, proprietary product or process data, and intellectual property
System data: Operating systems, utilities, user IDs and password files, audit trails, and configuration files
Backup media: Tapes, removable disks, and off-site replicated disk systems
Software: Application source code, programs, tools, libraries, vendor software, and other proprietary software
Privileged entity controls
Privileged entity controls are the mechanisms, generally built into computer operating systems, which give privileged access to hardware, software, and data. In UNIX and Windows, the controls that permit privileged functions reside in the operating system.
Change controls
Change controls are the people-operated processes that govern architectural and configuration changes in a production environment. Instead of just making changes to systems and the way that they relate to each other, change control is a formal process of proposal, design, review, approval, implementation, and recordkeeping.
The two prevalent forms of change controls are Change Management and Configuration Management:
Change Management is the approval-based process that ensures that only approved changes are implemented.
Configuration Management is the control that records all of the soft configuration (settings and parameters in the operating system, database, and application) and software changes that are performed with approval from the Change Management process.
See Chapter 7 for more on Change and Configuration Management.
Media controls
Media controls refer to a broad category of controls that are used to manage information classification and physical media. Information classification refers to the tasks of marking information according to its sensitivity, as well as the subsequent handling, storage, transmission, and disposal procedures that accompany each classification level. Physical media is similarly marked; likewise, controls specify handling, storage, and disposal procedures.
Administrative controls
Administrative controls are the family of controls that includes least privilege, separation of duties, and rotation of duties. These controls form the basis of many processes, as well as access control and function control methodologies.
Trusted recovery
Trusted recovery is concerned with the processes and procedures that support the hardware or software recovery of a system. Specifically, the confidentiality and integrity of the information stored on and the functions served by a system being recovered must be preserved at all times.
The primary problem with system recovery is that a system may be operated briefly in maintenance or single-user mode in which all the software controls protecting the operating system and business data may not be functioning.
Organizations should have well-defined processes and procedures for system recovery to ensure that no inappropriate disclosure or leakage of sensitive information can occur.