The purpose of security controls is to safeguard the organisation and support its services by identifying and assessing risks, improving the security posture, and enhancing the prevention, detection, and response mechanisms against security attacks. It is nearly impossible to protect an organisation against every attack by applying all possible controls. However, the goal of any organisation is to keep the residual risk to an acceptable level. Governance, risk and compliance function spans across people, process, and technology. It is the responsibility of governance team to ensure that risk related to information and systems are proactively managed to protect organisational interest and reputation thereby preventing non-compliance and costly remediation activities.
To mitigate organisational risks, security controls applicable to the organisation are identified and documented. This is followed by control testing and finally the outcome is reported and monitored. If any area of non-compliance is identified, then the risk is evaluated and based on its severity, the risk treatment plan is executed. The result of compliance shows the organisational security posture which is reported to senior management from time to time.
Additionally, organisations need to comply with regulatory requirements for adhering to laws, regulations, guidelines and specifications relevant to its business processes. Compliance laws and regulations such as PCIDSS, HIPAA, GDPR focus on the usage of sensitive and personal information. It is incumbent on the organisation for its systems to be compliant with organisational security policies and controls. For instance, ISO 27001 standard is more focused towards IT general security controls and widely used by a large percentage of organisation.
The standard includes the following controls:-
Information Security Policy –
The intent of information security policy is to provide management direction towards information security according to business requirements and applicable laws and regulations. It is key that the policies are defined and approved by senior management and communicated to all associates of the organisation including external parties. It is vital that the policies are reviewed regularly and kept up to date. Policies should be straight forward and easy to understand by all associates of the organisation.
Organisation of Information Security –
Information security roles and responsibilities form a vital part of the organisational framework. These roles are based on segregation of duties principle to prevent unauthorised or unintentional disclosure or modification of information. One way to achieve this is by using the role-based access control model where responsibilities are assigned based on user roles and not on personal identity.
Human Resource Security –
In terms of human resource security, there are background verification checks carried out for employees and contractors prior to employment and all associates are required to understand their responsibilities for which they are considered. Associates are also required to accept terms of agreement before they formally start to work in an organisation. All associates are supposed to undergo security awareness training relevant to their job function. Termination and change of employment responsibilities are communicated appropriately and enforced.
Asset management
It focuses on organisation having an inventory of asset which needs to be maintained and ownership of assets needs to be clearly defined. The acceptable use of assets is based on organisational policies and every asset needs to be returned to the organisation upon completion of employment contract. Information managed by the organisation needs to be classified appropriately based on criticality and sensitivity and labelled according to the classification scheme. Appropriate procedures are also required for removal, disposal and physical transfer of storage media.
Access Control –
As far as access control is concerned, only authorised users are allowed to access information and systems based on need to know. Access rights are periodically reviewed and revoked as necessary.
Cryptography –
Cryptographic controls focus on encrypting data at rest and in transit. Also, the cryptographic keys used for encryption are stored securely.
Physical & Environmental Security –
Physical and environmental security is an essential control as its objective is to prevent unauthorised physical access to organisation’s information and information processing facilities.
Operations Security –
Equally vital is the operations security as it helps establish secure operations of the organisation. It ensures that changes to the organisation’s systems and information are controlled. Controls against malware threats are available, information is backed up regularly and tested for disaster recovery requirements, logging is enabled and monitored for users and administrators for reporting and audit requirements.
Communications Security –
Communication and network security focuses on protection of network and supporting facilities.
System Acquisition, Development & Maintenance –
System acquisition, development and maintenance ensure that information security is integrated with the entire lifecycle of information systems.
Supplier Relationships –
Supplier Relationships is another area that requires due attention primarily because an organisation works with external parties. Security controls are also applicable to the suppliers to ensure protection of organisational assets. Suppliers are also required to maintain an agreed level of information security and service delivery in line with the supplier agreements.
Information Security Incident Management –
Information Security incident management involves quick and effective response to incidents, reporting of any observed security weaknesses and learning from incidents to reduce their likelihood and impact upon recurrence or future incidents. All incidents are handled based on well documented organisational procedures.
Information Security Aspects of Business Continuity Management –
Business continuity management ensures continuous operation of business in case of any crisis or adverse situation. It is essential that information security is embedded within business continuity controls.
Compliance –
Finally comes compliance which form the building blocks of any organisation as they relate to legal, regulatory and contractual requirements.
Once a security compliance assessment is performed, an action plan is prepared based on areas of non-compliance and a target remediation date is clearly identified after consultation with the action owner. The action owner is responsible to execute the action plan and close the control gap. If an organisation is not willing to close any particular control gap, then the risk associated with the gap needs to be formally accepted by senior management and documented accordingly.
Often organisations have a false sense of security and consider their information processing facilities compliant based on one-time assessment. However, the threat landscape is ever changing which means that security assessment needs to be performed periodically to protect organisation’s infrastructure and prevent any breach. An information security program that encompasses an efficient compliance plan will strengthen the overall security posture of the organisation.