请输入您要查询的百科知识:

 

词条 Security controls
释义

  1. Information security standards and control frameworks

     International information security standards  U.S. Federal Government information security standards  U.S. Department of Defense information security standards 

  2. Telecommunications

  3. Business control frameworks

  4. See also

  5. References

{{confusing|date=January 2012}}

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.

They can be classified by several criteria. For example, according to the time that they act, relative to a security incident:

  • Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders;
  • During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police;
  • After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible.

According to their nature, for example:

  • Physical controls e.g. fences, doors, locks and fire extinguishers;
  • Procedural controls e.g. incident response processes, management oversight, security awareness and training;
  • Technical controls e.g. user authentication (login) and logical access controls, antivirus software, firewalls;
  • Legal and regulatory or compliance controls e.g. privacy laws, policies and clauses.

A similar categorization distinguishes control involving people, technology and operations/processes.

In the field of information security, such controls protect the confidentiality, integrity and/or availability of information - the so-called CIA Triad

Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency.

Information security standards and control frameworks

Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Some of the most well known are outlined below.

International information security standards

ISO/IEC 27001 specifies 114 controls in 14 groups:

  • A.5: Information security policies
  • A.6: How information security is organised
  • A.7: Human resources security - controls that are applied before, during, or after employment.
  • A.8: Asset management
  • A.9: Access controls and managing user access
  • A.10: Cryptographic technology
  • A.11: Physical security of the organisation's sites and equipment
  • A.12: Operational security
  • A.13: Secure communications and data transfer
  • A.14: Secure acquisition, development, and support of information systems
  • A.15: Security for suppliers and third parties
  • A.16: Incident management
  • A.17: Business continuity/disaster recovery (to the extent that it affects information security)
  • A.18: Compliance - with internal requirements, such as policies, and with external requirements, such as laws.

U.S. Federal Government information security standards

From NIST Special Publication SP 800-53 revision 4.

  1. AC Access Control.
  2. AT Awareness and Training.
  3. AU Audit and Accountability.
  4. CA Security Assessment and Authorization. (historical abbreviation)
  5. CM Configuration Management.
  6. CP Contingency Planning.
  7. IA Identification and Authentication.
  8. IR Incident Response.
  9. MA Maintenance.
  10. MP Media Protection.
  11. PE Physical and Environmental Protection.
  12. PL Planning.
  13. PS Personnel Security.
  14. RA Risk Assessment.
  15. SA System and Services Acquisition.
  16. SC System and Communications Protection.
  17. SI System and Information Integrity.
  18. PM Program Management.

U.S. Department of Defense information security standards

From DoD Instruction 8500.2 [https://web.archive.org/web/20091122200729/http://www.dtic.mil/whs/directives/corres/pdf/850002p.pdf] there are 8 Information Assurance (IA) areas and the controls are referred to as IA controls.

  1. DC Security Design & Configuration
  2. IA Identification and Authentication
  3. EC Enclave and Computing Environment
  4. EB Enclave Boundary Defense
  5. PE Physical and Environmental
  6. PR Personnel
  7. CO Continuity
  8. VI Vulnerability and Incident Management

DoD assigns the IA control per CIA Triad leg.

Telecommunications

{{main article|Security service (telecommunication)}}

In telecommunications, security controls are defined as Security services as part of OSI Reference model

  • ITU-T X.800 Recommendation.
  • ISO ISO 7498-2

These are technically aligned.[1][2] This model is widely recognized [3]

[4]

Business control frameworks

There are a wide range of frameworks and standards looking at internal business, and inter-business controls, including:

  • SSAE 16
  • ISAE 3402
  • Payment Card Industry Data Security Standard
  • Health Insurance Portability and Accountability Act

See also

{{Portal|Computer Security}}
  • Access control
  • countermeasure
  • Environmental design
  • Information security
  • OSI Reference Model
  • Physical Security
  • Risk
  • Security
  • Security engineering
  • Security management
  • Security services

References

1. ^X.800 : Security architecture for Open Systems Interconnection for CCITT applications
2. ^ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture)
3. ^William StallingsCrittografia e sicurezza delle retiSeconda edizione{{ISBN|88-386-6377-7}}Traduzione Italiana a cura di Luca Salgarellidi Cryptography and Network security 4 editionPearson2006
4. ^Securing information and communications systems: principles, technologies, and applicationsSteven Furnell, Sokratis Katsikas, Javier Lopez, Artech House, 2008 - 362 pages
  • Information Security Forum's Standard of Good Practice for Information Security
  • NIST SP 800-53 Revision 4
  • [https://web.archive.org/web/20091122200729/http://www.dtic.mil/whs/directives/corres/pdf/850002p.pdf DoD Instruction 8500.2]
  • FISMApedia Terms

4 : Computer network security|Computer security procedures|Data security|Computer security

随便看

 

开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。

 

Copyright © 2023 OENC.NET All Rights Reserved
京ICP备2021023879号 更新时间:2024/11/11 13:59:16