Security Controls - Types, Categories, and Functions

Rollback to version 1

0:00 - 0:02

security controls you know you want them
0:02 - 0:03

you know you need them but you don't
0:03 - 0:05

know about them I'm going to solve that
0:05 - 0:08

problem for you coming up
0:09 - 0:11

now hello everybody my name is Adam
0:11 - 0:13

Gordon an Entertainer here at it pro TV
0:13 - 0:14

want to have a conversation with you
0:14 - 0:16

about security controls something most
0:16 - 0:18

of us probably think we understand and
0:18 - 0:20

do a good job with in our businesses but
0:20 - 0:23

in reality we probably need a little bit
0:23 - 0:25

of additional guidance answering three
0:25 - 0:27

specific questions hopefully he going to
0:27 - 0:28

help us to do that we need to make sure
0:28 - 0:31

we're focusing our discussion around the
0:31 - 0:34

primary goal of using security controls
0:34 - 0:36

which is addressing a dreaded
0:36 - 0:38

four-letter word not the one you're
0:38 - 0:40

probably thinking about but this one
0:40 - 0:43

right here that I'm putting on the
0:43 - 0:46

lightboard forest which is risk this is
0:46 - 0:49

the key to understanding and unlocking
0:49 - 0:51

not only our ability to be able to use
0:51 - 0:53

security controls but really helping us
0:53 - 0:55

to understand and put into context what
0:55 - 0:57

they can do and how they help us to
0:57 - 0:59

achieve that let's frame those three
0:59 - 1:00

questions I was talking about just a
1:00 - 1:02

moment moment ago how do we describe
1:02 - 1:03

security controls is where I want to
1:03 - 1:06

begin because understanding the key
1:06 - 1:08

descriptors the difference between
1:08 - 1:10

categories and types is going to help us
1:10 - 1:12

to understand the value that security
1:12 - 1:14

controls provide that value is best
1:14 - 1:16

discussed and framed by answering the
1:16 - 1:18

question why why do we need security
1:18 - 1:20

controls why are they valuable to our
1:20 - 1:23

business and finally let's talk about
1:23 - 1:25

what what are security controls able to
1:25 - 1:28

do for us specifically what are these
1:28 - 1:30

seven types of controls we have sitting
1:30 - 1:31

over over here actually going to help us
1:31 - 1:33

to accomplish let's jump in and begin by
1:33 - 1:35

talking about how we describe security
1:35 - 1:37

controls we have categories over here on
1:37 - 1:39

the lightboard and categories are going
1:39 - 1:42

to help us to group together controls at
1:42 - 1:44

a high level they may be administrative
1:44 - 1:47

in nature policy based giving us
1:47 - 1:48

guidance that's going to help us to
1:48 - 1:50

understand how things should be done
1:50 - 1:52

aligning with business requirements
1:52 - 1:54

regulatory statutory concerns things of
1:54 - 1:57

that nature technical logical controls
1:57 - 2:00

are operating system driven they're
2:00 - 2:02

implemented through software and they're
2:02 - 2:03

going to allow us to implement
2:03 - 2:06

safeguards controls counter measures all
2:06 - 2:08

synonyms for one another by the way that
2:08 - 2:11

allow us to treat risk minimize it and
2:11 - 2:14

minimize its impact specifically on us
2:14 - 2:16

our business and of course the assets of
2:16 - 2:18

the organization but the key here is
2:18 - 2:20

that they're software-based they're
2:20 - 2:22

implemented through the operating system
2:22 - 2:24

Andor an application both of which are
2:24 - 2:26

software and finally as a category
2:26 - 2:29

physical controls I often refer to these
2:29 - 2:31

as the guards guns and Gates
2:31 - 2:32

conversation when I talk to customers
2:32 - 2:34

and students these are controls that
2:34 - 2:37

manifest themselves in the physical
2:37 - 2:38

world we can touch them feel them
2:38 - 2:41

interact with them literally they are
2:41 - 2:43

guards they are guns they are Gates and
2:43 - 2:45

a variety of other physical measures
2:45 - 2:47

like doors and windows and closed
2:47 - 2:51

circuit TV monitoring that allow us to
2:51 - 2:52

understand our environment and in one
2:52 - 2:55

way or another monitor and constrain it
2:55 - 2:57

when we think about categories in other
2:57 - 2:59

words we think very broadly about
2:59 - 3:02

groupings of controls based on some sort
3:02 - 3:05

of approach or functionality as we then
3:05 - 3:07

get more granular more tactical in our
3:07 - 3:09

approach with regards to defining
3:09 - 3:12

controls we turn our attention to types
3:12 - 3:13

and types as you could see there are
3:13 - 3:16

seven of them here are going to allow us
3:16 - 3:19

to understand how we can make a very
3:19 - 3:22

specific choice to help us to impact and
3:22 - 3:25

minimize risk and in so doing allow us
3:25 - 3:27

to address risk so that we can push it
3:27 - 3:29

down as far as possible Trying to
3:29 - 3:31

minimize has that impact in the
3:31 - 3:33

organization and more broadly throughout
3:33 - 3:35

the organizational environment across
3:35 - 3:37

all the things we do and of course
3:37 - 3:38

across all the assets that we operate
3:38 - 3:40

with and so as we think about how we are
3:40 - 3:42

describing we want to make sure we
3:42 - 3:44

understand that categories are very
3:44 - 3:47

Broad and types are very specific that's
3:47 - 3:49

a really important takeaway from the
3:49 - 3:51

first question let's turn our attention
3:51 - 3:54

to why why do we want to use controls
3:54 - 3:55

why are they valuable to an organization
3:55 - 3:58

to you as an individual and by extension
3:58 - 4:00

to your organization well they give us
4:00 - 4:02

the ability as we were just talking
4:02 - 4:03

about let's draw our other hour here to
4:03 - 4:05

really highlight us on this to give us
4:05 - 4:09

this ability to do the
4:09 - 4:12

following right make sure that we try to
4:12 - 4:15

get rid of risk of it all possible even
4:15 - 4:16

draw a little line over here just to
4:16 - 4:18

make sure we see it's kind of xed out
4:18 - 4:19

now the reality is we're never going to
4:19 - 4:21

completely get rid of risk there's
4:21 - 4:23

always going to be some risk left which
4:23 - 4:24

is why I left the word risk right in the
4:24 - 4:26

middle of the diagram there but the
4:26 - 4:28

reality is we could certainly shrink
4:28 - 4:30

that Circle minimize that risk write it
4:30 - 4:33

much much smaller right so that we can
4:33 - 4:36

see that yeah it's a lot smaller than it
4:36 - 4:38

was and as a result lot less impactful
4:38 - 4:40

to us and controls are going to really
4:40 - 4:42

help us to get to that point and that's
4:42 - 4:45

the why let's talk now about the what
4:45 - 4:47

right specifically I've already defined
4:47 - 4:49

the idea of what the categories provide
4:49 - 4:51

for us in terms of groupings but I
4:51 - 4:53

haven't really touched on what the
4:53 - 4:54

individual types of controls are I want
4:54 - 4:56

to run them down for you quickly make
4:56 - 4:57

sure you have a high level understanding
4:57 - 5:00

of the seven distinct controls therefore
5:00 - 5:02

the seven choices we get to make with
5:02 - 5:04

regards to how we try to minimize that
5:04 - 5:06

risk down make it as small and tiny as
5:06 - 5:07

possible let's start at the top here
5:07 - 5:09

with directive we think about directive
5:09 - 5:11

controls we're think about controls that
5:11 - 5:12

provide guidance that are aligned
5:12 - 5:14

primarily with the administrative
5:14 - 5:16

category they're very likely policy
5:16 - 5:19

nature policy in nature policy driven
5:19 - 5:21

and or policy like and they're giving us
5:21 - 5:23

specific guidance aligning us with one
5:23 - 5:24

or more requirements that the
5:24 - 5:27

organization has fundamentally laid out
5:27 - 5:29

and made clear we need to follow and so
5:29 - 5:31

when we think about this we're thinking
5:31 - 5:33

about really controls that are going to
5:33 - 5:35

give guidance but guidance from a policy
5:35 - 5:37

driven standpoint or vantage point they
5:37 - 5:39

tell us to do something and they may or
5:39 - 5:42

may not tell us why it's important to do
5:42 - 5:44

that DET turn controls are going to
5:44 - 5:47

often be paired let's just make a little
5:47 - 5:48

connector here so we can see this
5:48 - 5:50

pairing are often going to be paired
5:50 - 5:52

with preventative controls people tend
5:52 - 5:54

to confuse the two want to make it clear
5:54 - 5:56

for you what they are but we should see
5:56 - 5:59

them as essentially two sides of the
5:59 - 6:02

same coin DET turn controls and the name
6:02 - 6:03

itself kind of implies what the
6:03 - 6:05

definition is DET turn controls are
6:05 - 6:08

meant to discourage Behavior you walk up
6:08 - 6:11

to a community or a house or an area
6:11 - 6:13

that's fenced off it has a fence it has
6:13 - 6:15

a gate has a guard has a big sign that
6:15 - 6:18

says do not trespass bad dog well that
6:18 - 6:20

hopefully is enough to deter you to make
6:20 - 6:22

you make smarter choices and not decide
6:22 - 6:23

to try to go in there when you don't
6:23 - 6:26

belong or aren't invited whereas a
6:26 - 6:28

preventative control is meant to stop
6:28 - 6:30

you if you really don't make good
6:30 - 6:32

choices because the deterrence was not
6:32 - 6:35

enough if we add to all those things I
6:35 - 6:38

just described a layer a series behind
6:38 - 6:40

that fence of guards that are standing
6:40 - 6:42

there waiting to capture you and escort
6:42 - 6:44

you off the property then that's going
6:44 - 6:47

to prevent you from getting inside and
6:47 - 6:49

as a result even if you make a bad
6:49 - 6:51

choice we're going to stop you and so
6:51 - 6:53

when we think about both deterrent and
6:53 - 6:55

we think about preventative controls we
6:55 - 6:57

think about ways in which we can either
6:57 - 6:59

encourage you to make good choices or
6:59 - 7:01

stop you if you make bad choices let's
7:01 - 7:04

talk about compensating controls
7:04 - 7:07

compensating controls these are designed
7:07 - 7:09

to step in and allow us to have a
7:09 - 7:12

secondary control a backup system if you
7:12 - 7:15

will that will prevent something bad
7:15 - 7:17

from happening because the primary
7:17 - 7:19

control that we were relying on for some
7:19 - 7:21

reason is not operable or has failed so
7:21 - 7:23

if you imagine for instance that we have
7:23 - 7:26

a computer that runs normally plugged
7:26 - 7:28

into our wall getting power from the
7:28 - 7:31

power grid from the electricity provider
7:31 - 7:33

the utility company and everything is
7:33 - 7:34

fine except when there's a storm and the
7:34 - 7:37

power is interrupted well if we had a
7:37 - 7:39

compensating control we would use a
7:39 - 7:41

backup battery solution what we call a
7:41 - 7:43

UPS an uninterruptible power supply
7:43 - 7:45

where we plug the computer instead of
7:45 - 7:47

into the wall into the battery box that
7:47 - 7:49

then is plugged into the wall during
7:49 - 7:51

normal operations we get power directly
7:51 - 7:52

from the utility company everything's
7:52 - 7:55

fine but when the power cuts off we
7:55 - 7:57

still have P we still have power from
7:57 - 7:58

the batteries and the computer could
7:58 - 8:00

still be run safely for period of time
8:00 - 8:02

shutting it down eliminating and
8:02 - 8:04

significantly reducing the likel here
8:04 - 8:06

we're going to damage the data or damage
8:06 - 8:08

the system by shutting it down uh heart
8:08 - 8:10

as we said right with no power all of a
8:10 - 8:11

sudden just turning it off so
8:11 - 8:13

compensating controls are meant to
8:13 - 8:16

offset the loss of a primary control and
8:16 - 8:17

the primary control could be one of the
8:17 - 8:19

other types whatever they are let's turn
8:19 - 8:22

our attention to detective controls well
8:22 - 8:24

detective controls are just like
8:24 - 8:26

detectives in real life they look for
8:26 - 8:28

Clues and they try to tell us and alert
8:28 - 8:31

us and show us that things are abnormal
8:31 - 8:32

and that we should pay attention to them
8:32 - 8:35

cuz likely something bad has happened or
8:35 - 8:37

is about to happen and we're seeing it
8:37 - 8:39

unfold in near real time so detective
8:39 - 8:42

controls just like Sherlock Holmes or
8:42 - 8:44

any detective that you like are good
8:44 - 8:46

sleuths they look for things and they
8:46 - 8:48

help us to uncover activity that's
8:48 - 8:50

probably going to be an issue for us and
8:50 - 8:52

then we want to take action to correct
8:52 - 8:54

corrective controls having just said the
8:54 - 8:56

word corrective controls are those
8:56 - 8:59

controls that allow us to take action
8:59 - 9:00

after something most likely has been
9:00 - 9:03

detected some bad thing has happened and
9:03 - 9:04

we want to put it right we want to get
9:04 - 9:07

back to normal we want to stop having
9:07 - 9:10

this issue and return operations the the
9:10 - 9:12

way they were before this occurred now
9:12 - 9:15

corrective and Recovery controls are
9:15 - 9:17

also usually grouped together by the way
9:17 - 9:20

because recovery controls are like an
9:20 - 9:22

extension of corrective controls but
9:22 - 9:23

they have more features more capability
9:23 - 9:25

more depth they're technically in other
9:25 - 9:28

words going to give us more options and
9:28 - 9:29

they're often used in combination with
9:29 - 9:32

corrective controls to again restore
9:32 - 9:34

systems and operations to normal after
9:34 - 9:36

some sort of bad event has occurred but
9:36 - 9:38

to do so with more capabilities more
9:38 - 9:41

often than not so these seven makeup our
9:41 - 9:43

types group together into one of three
9:43 - 9:45

categories and what we then have
9:45 - 9:47

ultimately is our ability to bring this
9:47 - 9:50

all together to shrink risk into a more
9:50 - 9:53

manageable size hopefully minimizing it
9:53 - 9:54

enough that the impact to our
9:54 - 9:57

organization is negligible or certainly
9:57 - 9:58

less than it would have been otherwise
9:58 - 10:00

could see the size difference there
10:00 - 10:02

hopefully indicates that and as a result
10:02 - 10:04

we live to fight another day I've been
10:04 - 10:06

Adam Gordon talking to you about
10:06 - 10:08

security controls on behalf of it pro TV
10:08 - 10:09

if you want to learn more about security
10:09 - 10:11

controls or any of the other thousands
10:11 - 10:13

of things we talk about and teach about
10:13 - 10:15

every day always want to invite you to
10:15 - 10:17

come and take a look over at it pro TV
10:17 - 10:19

spend some time with us myself and all
10:19 - 10:21

my fellow entertainers are always up for
10:21 - 10:23

opportunities to spend time with you
10:23 - 10:24

helping you to better understand your
10:24 - 10:26

world and making sure you have all the
10:26 - 10:28

knowledge you need to be successful I'll
10:28 - 10:30

be back soon with another conversation
10:30 - 10:32

but until I am I'll wish you happy
10:32 - 10:36

securing and I'll see you soon

Title:: Security Controls - Types, Categories, and Functions
Description:: more » « less
Video Language:: English
Duration:: 10:38

	OEVIDEOS edited English subtitles for Security Controls - Types, Categories, and Functions
	OEVIDEOS edited English subtitles for Security Controls - Types, Categories, and Functions
	OEVIDEOS edited English subtitles for Security Controls - Types, Categories, and Functions
	OEVIDEOS edited English subtitles for Security Controls - Types, Categories, and Functions
	OEVIDEOS edited English subtitles for Security Controls - Types, Categories, and Functions

English subtitles

Revisions Compare revisions

Revision 5 Edited

OEVIDEOS
Revision 4 Edited

OEVIDEOS
Revision 3 Edited

OEVIDEOS
Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	5	OEVIDEOS
	4	OEVIDEOS
	3	OEVIDEOS
	2	OEVIDEOS
	1	OEVIDEOS

Security Controls - Types, Categories, and Functions

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)