It is often wrongly assumed that a single control of any kind is sufficient to resolve a risk. In fact, it is frequently the case that more than one control is required, and these may often be controls of different types. It is common that a risk may have been reduced by some means, but leaving some level of risk that is shared with a third party before the residual risk is accepted.

There are three levels of control: strategic, tactical and operational. Figure D.1 illustrates the overall structure of controls.

STRATEGIC CONTROLS

Strategic controls come in four flavours:

• Avoid or terminate – avoiding or terminating the risk can mean either stopping doing the activity, in which case there may well be some residual risk, or not commencing an activity, in which case the organisation may be left with an unsolved problem that the activity was intended to address.
• Reduce or modify – reducing or modifying the risk involves the application of suitable controls that result in a lower level of risk once they have been applied. There may remain some residual risk following treatment.
• Transfer or share – transferring or sharing the risk moves treatment of the risk to a third party who will take action if the risk materialises. Insurance is a common form of risk transfer. However, the organisation that transfers the risk still retains ownership of it.
• Accept or tolerate – when all other options have been discounted, acceptance of the risk is the final choice. This will also be the case when any of the other three options result in some degree of residual risk.

It must be remembered, however, that ignoring a risk is not the same as accepting it, and should never be an option.

TACTICAL CONTROLS

There are also four types of tactical control:

• Detective controls – detective controls are intended to identify and provide some form of alert when a threat is actually having a detrimental effect on an information asset or may be about to do so.
• Preventative controls – preventative controls are intended to stop a threat from having a detrimental effect on an information asset before the threat has any opportunity to do so.
• Directive controls – directive controls are intended to provide instruction on how to stop a threat from having a detrimental effect on an information asset or how to avoid activities that could initiate a detrimental result.
• Corrective controls – corrective controls are intended to prevent a threat from further detrimental activity, to recover from such activity or to prevent it from recurring.

OPERATIONAL CONTROLS

There are just three types of operational control:

• Procedural or people controls – procedural controls dictate the way in which actions must be taken and include such things as segregation of duties, change control mechanisms and the ongoing monitoring of risk.
• Physical or environmental controls – physical controls protect or change the environment in which information is stored and processed and include such things as locked doors and CCTV systems.
• Technical or logical controls – technical controls cover the technology-related aspects of information risk management and include such things as antivirus software and firewalls.

The following sections list the chief controls suggested by:

• the Centre for Internet Security Controls Version 8;
• ISO/IEC 27001:2017;
• NIST Special Publication 800-53 Revision 5.

THE CENTRE FOR INTERNET SECURITY CONTROLS VERSION 8

A number of organisations have published a list of the 18 most critical security controls. The list is based upon the Centre for Internet Security Controls Version 8. While this is not necessarily a comprehensive list of controls, it does provide a good starting point for organisations that have conducted their risk assessments but are unsure where to begin with risk treatment. The document may be downloaded from: https://www.cisecurity.org/controls/.

• Inventory and Control of Enterprise Assets (includes five sub-controls)
  • Organisations should actively manage (inventory, track and correct) all enterprise assets (end-user devices, including portable and mobile, network devices, non-computing/IoT devices and servers) connected to the infrastructure physically, virtually, remotely and those within cloud environments to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorised and unmanaged assets to remove or remediate.
• Inventory and control of software assets (includes seven sub-controls)
  • Organisations should actively manage (inventory, track and correct) all software (operating systems and applications) on the network so that only authorised software is installed and can execute, and that unauthorised and unmanaged software is found and prevented from installation or execution.
• Data Protection (includes 14 sub-controls)
  • Develop processes and technical controls to identify, classify, securely handle, retain and dispose of data.
• Secure Configuration of Enterprise Assets and Software (includes 12 sub-controls)
  • Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile, network devices, non-computing/IoT devices and servers) and software (operating systems and applications).
• Account Management (includes six sub-controls)
  • Use processes and tools to assign and manage authorisation of credentials for user accounts, including administrator accounts as well as service accounts, to enterprise assets and software.
• Access Control Management (includes eight sub-controls)
  • Use processes and tools to create, assign, manage and revoke access credentials and privileges for user, administrator and service accounts for enterprise assets and software.
• Continuous Vulnerability Management (includes seven sub-controls)
  • Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure in order to remediate and minimise the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
• Audit Log Management (includes 12 sub-controls)
  • Collect, alert, review and retain audit logs of events that could help detect, understand or recover from an attack.
• Email and Browser Protections (includes seven sub-controls)
  • Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behaviour through direct engagement.
• Malware Defences (includes seven sub-controls)
  • Prevent or control the installation, spread and execution of malicious applications, code or scripts on enterprise assets.
• Data Recovery (includes five sub-controls)
  • Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
• Network Infrastructure Management (includes eight sub-controls)
  • Establish, implement and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.
• Network Monitoring and Defence (includes 11 sub-controls)
  • Operate processes and tooling to establish and maintain comprehensive network monitoring and defence against security threats across the enterprise’s network infrastructure and user base.
• Security Awareness and Skills Training (includes nine sub-controls)
  • Establish and maintain a security awareness programme to influence behaviour among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
• Service Provider Management (includes seven sub-controls)
  • Develop a process to evaluate service providers who hold sensitive data or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
• Application Software Security (includes 14 sub-controls)
  • Manage the security life cycle of in-house developed, hosted or acquired software to prevent, detect and remediate security weaknesses before they can impact the enterprise.
• Incident Response Management (includes nine sub-controls)
  • Establish a programme to develop and maintain an incident response capability (for example, policies, plans, procedures, defined roles, training and communications) to prepare, detect and quickly respond to an attack.
• Penetration Testing (includes five sub-controls)
  • Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes and technology) and simulating the objectives and actions of an attacker.

ISO/IEC 27001:2017 CONTROLS

Although the primary ISO standard for information risk management is ISO/IEC 27005, it contains no detailed information on suitable tactical or operational controls for risk treatment, restricting itself instead to the strategic level only. Instead, ISO/IEC 27001:2017 provides an annex containing a comprehensive list of 114 separate operational level controls, grouped into 14 categories.

A more detailed description of the controls can be found in ISO/IEC 27002:2017 in its sections 5 to 18. The categories and their associated controls are summarised below.

A.5 Information security policies (2 controls)

The information security policy controls specify that organisations should define, approve and communicate information security policies to all stakeholders both within and outside the organisation. They also state the need to review these policies at intervals, or if anything changes that might impact on the policies.

A.6 Organisation of information security (7 controls)

This area of controls introduces the need for defined responsibilities within the organisation, along with the segregation of duties in order to prevent misuse and abuse. Interestingly, this area introduces the concept that information security should be considered in all organisational projects, regardless of whether or not they are related to information security.

Additionally, this area deals with the need to address the security of mobile devices and teleworking options.

A.7 Human resource security (6 controls)

This area deals with three distinct topics. Firstly, those controls required prior to employment, including background checks and the employment terms and conditions that relate to information security. Secondly, those controls that apply during a period of employment, including the requirement to adhere to the organisation’s information security policies, the need for security awareness training and the disciplinary procedures. Finally, those controls that apply to any employee’s change of responsibilities or when they leave the organisation.

A.8 Asset management (10 controls)

Asset management controls are concerned with the identification of the organisation’s information assets, allocation of ownership of them, their information classification, labelling and handling, their acceptable use and their return when employees leave the organisation.

Additionally, this area specifies controls concerned with the management, transfer and disposal of media such as memory sticks and DVDs.

A.9 Access control (14 controls)

One of the larger topic areas, access controls require a policy that provides for access to network resources to which users have been authorised, and the registration and deregistration and access provisioning processes. It goes on to cover the ongoing management of user access rights and their revocation or modification.

Additionally, access control covers the access to systems and application functions, password management and the access to privileged system utility software and source code.

A.10 Cryptography (2 controls)

Cryptography controls include the provision of a cryptographic policy and the process for cryptographic key management.

A.11 Physical and environmental security (15 controls)

Physical and environmental controls begin with those for controlling the physical perimeter of premises together with controls for restricting entry to the premises and areas within it, including secure areas such as computer rooms and less secure areas such as loading bays. It also includes the need to protect the premises from environmental threats and hazards.

The controls continue by considering the siting of equipment, the utilities that support it and the processes for removing it from the premises. Finally, they cover the need for clear desks and screens.

A.12 Operations security (14 controls)

Operational security controls focus on formal operating procedures, the need for change and capacity management and the separation of systems used for testing from those in the live environment. They go on to cover malware protection, event logging and the need to synchronise system clocks, the management of vulnerabilities and the requirement to restrict the installation of unauthorised software on systems.

A.13 Communications security (7 controls)

Communication security controls deal with the provision of security for networks and network services, and in particular they highlight the need to segregate networks carrying different security classifications of traffic.

They continue by describing the need to manage the transfer of information across and between organisations and include electronic communications such as email and social networking and the requirement for non-disclosure agreements.

A.14 System acquisition, development and maintenance (13 controls)

This area deals both with the requirement for information security specifications to be included in the procurement process and how application services and their transactions passing over public networks require protection.

It continues by examining the need for development rules and change control procedures, technical reviews and secure design principles, whether development takes place within the organisation or outside it. Finally, it covers the security and system acceptance testing to be carried out on all systems.

A.15 Supplier relationships (5 controls)

Supplier relationships are key to many organisations’ day-to-day operations, and consequently the controls in this area relate to security policies and agreements between the organisation and its suppliers. In addition, the controls include the ongoing monitoring of the service delivery and how changes are carried out.

A.16 Information security incident management (7 controls)

Dealing with security incidents requires its own set of controls, which include the allocation of responsibilities for the IM team and the reporting of both incidents and weaknesses within the organisation. The controls then focus on how incidents are assessed and dealt with, how lessons are learnt that can reduce future risk, and how the evidence (whether physical or electronic) of an incident should be collected, handled and stored.

A.17 Information security aspects of business continuity management (4 controls)

In this section, the standard considers the controls required for the planning and implementation of continuity of availability of information services, which include BC, DR and the redundant operation of systems.

A.18 Compliance (8 controls)

The controls for compliance deal with legal and regulatory requirements and the protection of essential records, how personally identifiable information is handled and, in cases where cryptography is used, how this is managed to ensure compliance with legislation.

Finally, the compliance section deals with independent reviews of the information security position within an organisation, and how individual parts of an organisation comply with its defined security policies.

NIST SPECIAL PUBLICATION 800-53 REVISION 5

Although the primary NIST publication on information risk management is Special Publication 800-30, it contains no detailed information on risk treatment or the selection of controls. However, NIST Special Publication 800-53 Revision 5 lists more than 300 separate operational level controls, grouped into 20 categories in its Appendix F, and also maps them against ISO/IEC 27001 controls in its Appendix H. The document can be downloaded free of charge from https://csrc.nist.gov/publications/PubsSPs.html.

The categories and their associated controls are summarised below.

AC Access Control (24 controls)

AT Awareness and Training (6 controls)

AU Audit and Accountability (16 controls)

CA Security Assessment and Authorisation (9 controls)

CM Configuration Management (14 controls)

CP Contingency Planning (12 controls)

IA Identification and Authentication (12 controls)

IR Incident Response (10 controls)

MA Maintenance (7 controls)

MP Media Protection (8 controls)

PE Physical and Environmental Protection (23 controls)

PL Planning (9 controls)

PM Programme Management (32 controls)

PS Personnel Security (9 controls)

PT Personally Identifiable Information Processing and Transparency (8 controls)

RA Risk Assessment (9 controls)

SA System and Services Acquisition (20 controls)

SC System and Communications Protection (46 controls)

SI System and Information Integrity (22 controls)

SR Supply Chain Management (12 controls)