Implementing Policies to Mitigating Security Risk in Organizations
By Nicholas Ibenu
Security controls play a fundamental role in improving and shaping the actions security professionals take to protect an organization. In this article, I will be discussing three main types of security controls that should be implemented at the cause of drafting organization’s security policy. “According to the IDC survey, 72 per cent of organizations in Nigeria have increased security budgets by 10 per cent or more over the last few years. This is not only the result of accelerated cloud adoption levels, but also increased awareness of security in senior management and rising new threats.”
They are three prime factors constituting implementing a security policy; technical, administrative, and physical. The primary goal for implementing a security control can be preventative, detective, corrective, compensatory, or act as a deterrent. Controls are also used to defend people as is the case security awareness training or policies. The lack of security controls places the confidentiality, integrity, and availability of information of every organization at risk. These risks extend to the safety of people and assets within organizations. Security control is the different ways in which we can integrate it in our security policy.
Security controls are countermeasures used to reduce the chances that a threat will exploit a vulnerability. For instance, implementing company-wide security awareness training to minimize the risk of a social engineering attack on your network, people, and information systems. While it’s next to impossible to prevent all threats, mitigation seeks to decrease the risk by reducing the chances that a threat will exploit a vulnerability. Risk mitigation is achieved by implementing different types of security controls depending on the goal of the countermeasure, the level to which the risk needs to be minimized, the severity of damage the threat can execute.
The overall aims of implementing security controls is to help reduce risks in an organization. The effective implementation of a security control is based on its classification in relation to the security incident. The common classifications are; preventive controls attempt to prevent an incident from occurring, detective controls attempt to detect incidents after they have occurred, corrective controls attempt to reverse the impact of an incident, deterrent controls attempt to discourage individuals from causing an incident, compensating controls are alternative controls used when a primary control is not feasible. For instance, an organization that places a high priority on reducing risk usually has a risk profile, which demonstrates the potential cost of a negatively impacting risk and the human resources required to implement the control(s).
Further on, we look at layering approach which combines multiple security controls to develop what’s called a defence-in-depth strategy. Defence-in-depth is a common security strategy used whereby multiple layers of controls are implemented. By combining controls into multiple layers of security you ensure that if one layer fails to offset a threat that other layers will help to prevent a breach in the system. Each layer of security works to counteract specific threats, which requires a security program to invest in multiple technologies and processes to prevent systems or people from being compromised.
Endpoint detection and response solutions are great at preventing viruses and malware from infecting computers and servers. However, endpoint detection is not equipped to log and monitor traffic on a network, or detect and prevent an attack in real-time like an Intrusion Prevention System (IPS). Before going into control types, it’s important to first understand the cyber risks and threats they help to mitigate. Risks in cyber security are the likelihood that a threat will exploit a vulnerability resulting in a loss. Losses could be information, financial, damage to reputation, and even harm customer trust. Threats on the other hand are any event with the potential to compromise the confidentiality, integrity, and availability (CIA) of information.
Threats may also take the form of a natural disaster or be a synthetic risk such as a new malware variant. Secondly, we look at vulnerabilities which are weaknesses or flaw in the software, hardware, or organizational processes, which when compromised by a threat, can result in a security incident. such occurrence can potentially jeopardize the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.
Having understood the basic risk concepts let’s explore how security controls will be implemented. At the most basic level, technical controls, also known as logic controls, use technology to reduce vulnerabilities in hardware and software. Automated software tools are installed and configured to protect these assets such as encryption, antivirus and anti-malware software, firewalls, Security Information and Event Management (SIEM), Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).
Many organizations today implement some type of onboarding process to introduce you to the company and provide you with a history of the organization. During the onboarding process, you may be instructed to review and acknowledge the security policy of the organization. By acknowledging that you have read the policies of the organization as a new hire, you are then accountable to adhere to the corporate policy of the organization. In order to implement the administrative controls, additional security controls are necessary for continuous monitoring and enforcement. The processes that monitor and enforce the administrative controls will be Management controls: The security controls that focus on the management of risk and the management of information system security and operational controls. Controls that are primarily implemented and executed by people (as opposed to systems). For instance, a security policy is a management control, but its security requirements are implemented by people (operational controls) and systems (technical controls).
An organization may have an acceptable use policy that specifies the conduct of users, including not visiting malicious websites. The security control to monitor and enforce could be in the form of a web content filter, which can enforce the policy and log simultaneously. Security controls also help to thwart phishing, besides the management control of the acceptable use policy itself, include operational controls, such as training users not to fall for phishing scams, and technical controls will monitor emails and web site usage for signs of phishing activity. Physical controls will observe security measures in a defined structure used to deter or prevent unauthorized access to sensitive material.
Physical Controls: will revolve around closed-circuit surveillance cameras, motion or thermal alarm systems, security guards, picture IDs, locked and dead-bolted steel doors, biometrics (includes fingerprint, voice, face, iris, handwriting, and other automated methods used to recognize individuals).
Preventive Controls: will include; hardening, security awareness training, security guards, change management, account disablement policy.
Detective Controls: log Monitoring, SIEM, trend analysis, security audits, video surveillance, motion detection.
Corrective Controls: Intrusion Prevention System (IPS), backups and system recovery
Deterrent Controls: Reduce the likelihood of a deliberate attack and is usually in the form of a tangible object or person such as cable locks, hardware locks, video surveillance & guards.
The different between preventive and detective control is that preventive is designed to be implemented prior to a threat event while detective control is designed to detect errors and locate attacks against information systems that have already occurred. An alternative method that is put in place to satisfy the requirement for a security measure that cannot be readily implemented due to financial, infrastructure, or simply impractical to implement at the present time will be compensating control which is to meet the intent of the original control requirement and provide a similar level of assurance. Contingent upon the organization type, regulatory requirements mandate consistent and continuous assessments, whereas, non-public organizations are not held to regulatory requirements.
One of the prime objectives for security as a whole is to prevent unauthorized parties from accessing, changing, or exploiting a network or system. It aims to do what a bad actor would do, which is the main reason penetration testing are crucial to an organization’s security in order to help personnel learn how to handle any type of break-in from a malicious entity.
While it is important for security professionals to have basic understanding of these controls, they must also recognize that the ultimate goal of implementing the controls is to strengthen their organization’s defences in order to reduce risk. Information security must be treated as a program which requires continuous monitoring in order to defend and protect its most valuable assets.
Nicholas Ibenu, a Security Researcher, Professor Assistant, writes from the Republic of Benin.