Compare and Contrast Security Controls and Framework Types

1. Friendly Tip: Please take notes to better remember concepts
In this video we will
Compare and Contrast
Security Controls and
Framework Types
Core Cyber Security Concepts

2. Security controls are parameters implemented to
protect various forms of data and infrastructure
important to an organization.
Any type of safeguard or countermeasure used to
avoid, detect, counteract, or minimize security risks to
physical property, information, computer systems, or
other assets is considered a security control.
What are Security Controls ?

3. Unauthorized access
Email Spoofing
Denial of Service
Trojans and other malwares
Security Controls protects the IT infrastructure from:
Goals of Security Controls:

4. Security Control Categories
Security Controls are classified into three categories:
Technical controls
Operational controls
Managerial controls
- Controls in place to set rules for
System software, Application software
and other security appliances
- Controls managed by an individual such
as Information Security systems officer
- Executives such as CSO have Control
of entire system and make decisions

5. Security Controls - Flow of responsibilties
CSO makes the managerial
decisions and tells the
Information Security officer
what needs to be done.
ISO takes care of the
operational aspect and
gives detailed instructions
to his team/employees to
execute the technical tasks

6. Security Controls - 6 Functional Types
- Preventive S.Controls
Preventive controls are supposed to be applied before
the threat occurs. The goal of preventive security
control is to prevent unauthorized access
-> Compensating S.Controls
These controls are intended to provide an alternate measure of control.
Even if antivirus is disabled/fails to isolate/quarantine malwares, an
Intrusion Prevention system blocks the suspicious traffic in the first
place, acting as a compensatory control.

7. These controls are to be applied incase of an active attack.
These security controls are utilized to search and log the
management of attack These controls aid in identifying the
activities carried out during the incident and searches for
potential intruders.
- Detective S.Controls
- Physical S.Controls
This control is meant to deter an attacker's physical attacks
with the use of security alarms, locks , bio-metric scanners
and CCTVs

8. - Corrective S.Controls
These security control is utilized to integrate a recovery focus
and preventive approach into the organization after the
attack. Incident manegement are responsible for corrective
security controls. These controls are in place to fix/undo the
damage to IT infrastructure after an incident has occurred.
-> Deterrent Controls
These controls intended to discourage potential attacks, it
involves use of psychological/social warnings. Pop-up alerts

9. NIST Cybersecurity Framework
NIST Cybersecurity Framework
is a set of guidelines for
mitigating organizational
cybersecurity risks, published
by the US National Institute of
Standards and Technology
based on existing standards,
guidelines, and practices.

10. In NIST cyber security framework, there's five functions.
Let's begin with the first function Identify. Assume you want to
understand what is the best practice to carry out asset management ,
then you can refer to the particular document ID.AM

11. Suppose You want to understand what is the best practice
to carry out Risk Assessment ? Then you can simply refer
to the particular document ID.RA to know what's the best
practice to conduct/carry out risk assessment.

12. Similarly in the second function Protect, if you'd like
to learn what is the best way to conduct Awareness
training, you can refer to the document PR.AT for
awareness training.

13. Similarly the remaining functions Detect, Respond & Recover have their own
designated documents

14. Similar to NIST Framework, you can also make use of other
Information Security Frameworks such as:
ISO 2700 /31000
Cybersecurity Framework
Cloud Security Alliance

15. ISO/IEC 2700 - Cybersecurity Framework
" ISO/IEC 27001:2013 specifies the requirements for
establishing, implementing, maintaining and
continually improving an information security
management system within the context of the
organization "
- International Organization for Standardization
It's a comprehensive set of controls applicable to
all industry sectors. It serves as a management process
to evaluate, implement and maintain Information
security management systems.

16. CSA - Cloud Security Alliance

17. Regulations, Standards & Legislation
General Data Protection Regulation (GDPR) Act
The General Data Protection Regulation is a regulation in EU law on data
protection and privacy in the European Union and the European
Economic Area.
The GDPR is an important
component of EU privacy law and of
human rights law, in particular Article
8 of the Charter of Fundamental
Rights of the European Union

18. Due Care vs Due Diligence
Due care can be described as
reasonable care taken in
protecting the organization
Where as Due Diligence can
be described as
following/practices to
maintain Due care effort
Due care is the legal term pertaining
to the legal duty organization
Where as Due Diligence is the best
practices an organization should follow.
such as Computer Security Act
Lack of Due care is considered as
neglience and legally punishable
Due dilligence isnt legally liable

19. Based on the territory/state/or nation,
there are certain audit checklists an
organization has to meet in-order to
function/carry out their operations,
such as Health Insurance Portability
and Accountability Act (HIPAA) to
protect patient confidentiality.
National, Territory or State Laws

20. The Payment Card Industry Data Security Standard is another
example for such laws. It's an information security standard
for organizations that handle branded credit cards from the
major card schemes.
The PCI Standard is
mandated by the card brands
but administered by the
Payment Card Industry
Security Standards
National, Territory or State Laws