In fact, there are a lot of protective devices you should be familiar with to apply the CIA Triad information security principles as an information security specialist. You should have the ability to compare security controls, and you should also be able to know the impact of security controls within the organization and also choose and configure security controls and identify and apply types of security controls within the organization.
Information assurance is usually considered in a comprehensive security risk management process. This is the work of information security professionals. Some different organizations have developed a framework (framework) to work on these rentals, a set of policies developed within the organization to reduce risks in general and meet best practices to be developed within the company. These procedures, policies, and activities are collectively referred to as security controls.
Security control is a Shi designed to give the system a clutch (confidentiality, integrity, availability and non-repudiation) CIA Triad and these controls are divided into three main categories representing the method of implementation and control.
Technical Security Control: Control is performed as a device or software system. A case in point. Firewall, antivirus software and access control models. Technical controls can also be described as logical controls.
Operating Security Control: Here, control is implemented by people like security guards and can be described as operational controls rather than technical controls.
Managerial Security Control: Gives full control over the information system to develop security risk reduction plans and policies including security risk identification, identification, and selection of appropriate security controls in the right place
It is also possible to classify security controls in terms of objective or function. (goal or function).
Security Control Functional Types
Preventive Security control: It is a term that refers to all security controls. Operating prior to the attack for the purpose of detecting and protecting it from that attack regardless of security elements whether Software or hardware is an example of IPS, Access Control lists (ACL) and firewalls. In short, the term refers to all security elements that operate prior to an attack on an enterprise.
Detective Security control: a term that somewhat reflects the term Preventive. It is a set of security controls that operate at the time of the attack regardless of the fact that these devices cannot prevent the attack but will identify and record a successful intrusion attempt and return the attack records in detail and send reports to the network manager as an example of these IDS devices.
Corrective Security control: a term that refers to actions that can be taken after a successful security breakthrough. One example is a copy of the devastating data. For example, there should be a backup of data even if the data is cleared, there is a backup.
While controls can be functionally classified (Preventive, Detective, Corrective) and some other terms can be used to identify other cases
Physical Security Control: a term that refers to all physical protection devices. Such as cameras, alarms, locks, and gates.
Deterrent Security control: It is a kind of security control that manipulates the psychological aspect of the attacker that may not physically or logically prevent the attacker. But it discourages the attacker from the psychological aspect and can lead to the attack not occurring, mainly. One example is warnings against legal sanctions against trespassing.
Compliance Security Control: This term refers to the process of compensating security controls otherwise if there is a lack of security guards what security controls can be used as an alternative to security guards, for example metal detection gates. In short, if there is only damage to any security controls, this term refers to alternative or compensation.
Security controls are also established through a range of policies and laws at both the internal and external levels of the company and include those laws and policies. About the types of appropriate security controls as well as its website. It also includes all policies and procedures. To reduce security risks, there is a range of Frameworks that helps develop laws and policies.
There are a group of companies that have developed framework to help develop policies within enterprises despite those laws and policies, that there are policies and laws that are consistent for all enterprises and there are policies and laws that are specific to the company itself on the basis of the infrastructure and functioning of that company and one of the most famous companies that have developed framework (NIST, IEEE, IOS).
There is also a Framework used at a different technological level, for example. There is something dedicated at cloud level like IOS 27k and there is also something dedicated to risk management like RMF which is from NIST and as we talked, there is Framework work for all my current technology now from different companies.