Nature of Controls
This is about “controls” in the risk mitigation sense of the word.
- Technical (IT defenses)
- Managerial (a.k.a. “administrative controls”)
- Operational (physical controls and general organizational culture)
Functional Use of Controls
Controls can be further divided into:
- Deterrence (system banners, etc.)
- Prevention (firewalls, trainings, etc.)
- Detection (logs, anti-malware, regular audits, etc.)
- Corrective (mitigation/recovery)
Basically, if you can’t (or won’t) implement a given control, what control(s) do you layer in instead to provide equivalent security guarantees?
Industry-Standard Frameworks and Reference Architectures
- Standards: Descriptions of mandatory behavior/configurations/implementation
- Guides: Best practices for implementing standards
- Frameworks: Basically hyper-detailed guides
Regulatory and Non-Regulatory Requirements
The difference here boils down to: Which have teeth, and which are just fancy specifications?
- ISO 27002 (information security best practices; most commonly used by cloud providers)
- ISO 27001 (information security certification)
- ISO 27701 (ISO 27001 + privacy)
- ISO 31000 (risk management)
- SOC 2 (standardized requirements around the CIA triad + privacy)
- Various NIST standards
- COBIT (Control Objectives for Information Technology; IT management best practices, most commonly used as part of Sarbanes-Oxley compliance)
- COSO (Committee of Sponsoring Organizations; for governance and risk management)
- HITRUST CSF (Health Information Trust Common Security Framework; healthcare information handling)
- CSA CCM (Cloud Security Alliance Cloud Controls Matrix; cloud-specific security best practices)
- OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation; most commonly used in the education sector)
SOC = Service Organizational Control
Benchmarks and Secure Configuration Guides
CIS Critical Security Controls + related benchmarks and guides.