< Return to Video

Security Controls - Types, Categories, and Functions

  • 0:00 - 0:02
    Security controls, you know you want them,
  • 0:02 - 0:03
    you know you need them, but you don't
  • 0:03 - 0:05
    know about them. I'm going to solve that
  • 0:05 - 0:08
    problem for you coming up now.
  • 0:09 - 0:11
    Hello everybody! My name is Adam
  • 0:11 - 0:13
    Gordon, an edutainer here at ITProTV.
  • 0:13 - 0:14
    I want to have a conversation with you
  • 0:14 - 0:16
    about security controls, something most
  • 0:16 - 0:18
    of us probably think we understand and
  • 0:18 - 0:20
    do a good job with in our businesses, but
  • 0:20 - 0:23
    in reality we probably need a little bit
  • 0:23 - 0:25
    of additional guidance answering three
  • 0:25 - 0:27
    specific questions, hopefully it's going to
  • 0:27 - 0:28
    help us to do that. And we need to make sure
  • 0:28 - 0:31
    we're focusing our discussion around the
  • 0:31 - 0:34
    primary goal of using security controls
  • 0:34 - 0:36
    which is addressing a dreaded
  • 0:36 - 0:38
    four-letter word, not the one you're
  • 0:38 - 0:40
    probably thinking about, but this one
  • 0:40 - 0:43
    right here that I'm putting on the
  • 0:43 - 0:46
    lightboard for us, which is risk. This is
  • 0:46 - 0:49
    the key to understanding and unlocking
  • 0:49 - 0:51
    not only our ability to be able to use
  • 0:51 - 0:53
    security controls, but really helping us
  • 0:53 - 0:55
    to understand and put into context what
  • 0:55 - 0:57
    they can do and how they help us to
  • 0:57 - 0:59
    achieve that. Let's frame those three
  • 0:59 - 1:00
    questions I was talking about just a
  • 1:00 - 1:02
    moment moment ago. How do we describe
  • 1:02 - 1:03
    security controls is where I want to
  • 1:03 - 1:06
    begin because understanding the key
  • 1:06 - 1:08
    descriptors, the difference between
  • 1:08 - 1:10
    categories and types, is going to help us
  • 1:10 - 1:12
    to understand the value that security
  • 1:12 - 1:14
    controls provide. That value is best
  • 1:14 - 1:16
    discussed and framed by answering the
  • 1:16 - 1:18
    question why? Why do we need security
  • 1:18 - 1:20
    controls? Why are they valuable to our
  • 1:20 - 1:23
    business? And finally let's talk about
  • 1:23 - 1:25
    what. What are security controls able to
  • 1:25 - 1:28
    do for us? Specifically, what are these
  • 1:28 - 1:30
    seven types of controls we have sitting
  • 1:30 - 1:31
    over here actually going to help us
  • 1:31 - 1:33
    to accomplish. Let's jump in and begin by
  • 1:33 - 1:35
    talking about how we describe security
  • 1:35 - 1:37
    controls. We have categories over here on
  • 1:37 - 1:39
    the lightboard and categories are going
  • 1:39 - 1:42
    to help us to group together controls at
  • 1:42 - 1:44
    a high level. They may be administrative
  • 1:44 - 1:47
    in nature, policy-based giving us
  • 1:47 - 1:48
    guidance that's going to help us to
  • 1:48 - 1:50
    understand how things should be done
  • 1:50 - 1:52
    aligning with business requirements,
  • 1:52 - 1:54
    regulatory, statutory concerns, things of
  • 1:54 - 1:57
    that nature. Technical logical controls
  • 1:57 - 2:00
    are operating system driven, they're
  • 2:00 - 2:02
    implemented through software, and they're
  • 2:02 - 2:03
    going to allow us to implement
  • 2:03 - 2:06
    safeguards, controls, counter measures, all
  • 2:06 - 2:08
    synonyms for one another by the way, that
  • 2:08 - 2:11
    allow us to treat risk, minimize it, and
  • 2:11 - 2:14
    minimize its impact specifically on us,
  • 2:14 - 2:16
    our business, and, of course, the assets of
  • 2:16 - 2:18
    the organization. But the key here is
  • 2:18 - 2:20
    that they're software-based, they're
  • 2:20 - 2:22
    implemented through the operating system
  • 2:22 - 2:24
    and or an application, both of which are
  • 2:24 - 2:26
    software. And finally as a category,
  • 2:26 - 2:29
    physical controls. I often refer to these
  • 2:29 - 2:31
    as the guards, guns, and gates
  • 2:31 - 2:32
    conversation when I talk to customers
  • 2:32 - 2:34
    and students. These are controls that
  • 2:34 - 2:37
    manifest themselves in the physical
  • 2:37 - 2:38
    world, we can touch them, feel them,
  • 2:38 - 2:41
    interact with them. Literally they are
  • 2:41 - 2:43
    guards, they are guns, they are gates, and
  • 2:43 - 2:45
    a variety of other physical measures
  • 2:45 - 2:47
    like doors and windows and closed
  • 2:47 - 2:51
    circuit TV monitoring that allow us to
  • 2:51 - 2:52
    understand our environment and in one
  • 2:52 - 2:55
    way or another monitor and constrain it.
  • 2:55 - 2:57
    When we think about categories, in other
  • 2:57 - 2:59
    words, we think very broadly about
  • 2:59 - 3:02
    groupings of controls based on some sort
  • 3:02 - 3:05
    of approach or functionality. As we then
  • 3:05 - 3:07
    get more granular, more tactical in our
  • 3:07 - 3:09
    approach with regards to defining
  • 3:09 - 3:12
    controls. We turn our attention to types.
  • 3:12 - 3:13
    And types, as you could see there are
  • 3:13 - 3:16
    seven of them here, are going to allow us
  • 3:16 - 3:19
    to understand how we can make a very
  • 3:19 - 3:22
    specific choice to help us to impact and
  • 3:22 - 3:25
    minimize risk and in so doing, allow us
  • 3:25 - 3:27
    to address risk so that we can push it
  • 3:27 - 3:29
    down as far as possible, trying to
  • 3:29 - 3:31
    minimize that impact in the
  • 3:31 - 3:33
    organization and more broadly, throughout
  • 3:33 - 3:35
    the organizational environment across
  • 3:35 - 3:37
    all the things we do and of course
  • 3:37 - 3:38
    across all the assets that we operate
  • 3:38 - 3:40
    with. And so as we think about how we are
  • 3:40 - 3:42
    describing, we want to make sure we
  • 3:42 - 3:44
    understand that categories are very
  • 3:44 - 3:47
    broad and types are very specific. That's
  • 3:47 - 3:49
    a really important takeaway from the
  • 3:49 - 3:51
    first question. Let's turn our attention
  • 3:51 - 3:54
    to why. Why do we want to use controls?
  • 3:54 - 3:55
    Why are they valuable to an organization,
  • 3:55 - 3:58
    to you as an individual, and by extension
  • 3:58 - 4:00
    to your organization? Well they give us
  • 4:00 - 4:02
    the ability, as we were just talking
  • 4:02 - 4:03
    about, let's draw our other arrow here to
  • 4:03 - 4:05
    really highlight us on this, they give us
  • 4:05 - 4:09
    this ability to do the following,
  • 4:09 - 4:12
    right? Make sure that we try to
  • 4:12 - 4:15
    get rid of risk if it all possible, even
  • 4:15 - 4:16
    draw a little line over here just to
  • 4:16 - 4:18
    make sure we see it's kind of x'ed out.
  • 4:18 - 4:19
    Now the reality is we're never going to
  • 4:19 - 4:21
    completely get rid of risk, there's
  • 4:21 - 4:23
    always going to be some risk left which
  • 4:23 - 4:24
    is why I left the word risk right in the
  • 4:24 - 4:26
    middle of the diagram there. But the
  • 4:26 - 4:28
    reality is we could certainly shrink
  • 4:28 - 4:30
    that circle, minimize that risk, write it
  • 4:30 - 4:33
    much, much smaller, right? So that we can
  • 4:33 - 4:36
    see that yeah it's a lot smaller than it
  • 4:36 - 4:38
    was and as a result, a lot less impactful
  • 4:38 - 4:40
    to us. And controls are going to really
  • 4:40 - 4:42
    help us to get to that point. And that's
  • 4:42 - 4:45
    the why. Let's talk now about the what,
  • 4:45 - 4:47
    right? Specifically, I've already defined
  • 4:47 - 4:49
    the idea of what the categories provide
  • 4:49 - 4:51
    for us in terms of groupings but I
  • 4:51 - 4:53
    haven't really touched on what the
  • 4:53 - 4:54
    individual types of controls are. I want
  • 4:54 - 4:56
    to run them down for you quickly, make
  • 4:56 - 4:57
    sure you have a high level understanding
  • 4:57 - 5:00
    of the seven distinct controls and therefore
  • 5:00 - 5:02
    the seven choices we get to make with
  • 5:02 - 5:04
    regards to how we try to minimize that
  • 5:04 - 5:06
    risk down, make it as small and tiny as
  • 5:06 - 5:07
    possible. Let's start at the top here
  • 5:07 - 5:09
    with directive. When we think about directive
  • 5:09 - 5:11
    controls, we're thinking about controls that
  • 5:11 - 5:12
    provide guidance that are aligned
  • 5:12 - 5:14
    primarily with the administrative
  • 5:14 - 5:16
    category. They're very likely policy
  • 5:16 - 5:19
    nature, policy in nature, policy driven,
  • 5:19 - 5:21
    and or policy like and they're giving us
  • 5:21 - 5:23
    specific guidance, aligning us with one
  • 5:23 - 5:24
    or more requirements that the
  • 5:24 - 5:27
    organization has fundamentally laid out
  • 5:27 - 5:29
    and made clear we need to follow. And so
  • 5:29 - 5:31
    when we think about this, we're thinking
  • 5:31 - 5:33
    about really controls that are going to
  • 5:33 - 5:35
    give guidance but guidance from a policy
  • 5:35 - 5:37
    driven standpoint or vantage point. They
  • 5:37 - 5:39
    tell us to do something and they may or
  • 5:39 - 5:42
    may not tell us why it's important to do
  • 5:42 - 5:44
    that. Deterrent controls are going to
  • 5:44 - 5:47
    often be paired, let's just make a little
  • 5:47 - 5:48
    connector here so we can see this
  • 5:48 - 5:50
    pairing, are often going to be paired
  • 5:50 - 5:52
    with preventative controls. People tend
  • 5:52 - 5:54
    to confuse the two. I want to make it clear
  • 5:54 - 5:56
    for you what they are. But we should see
  • 5:56 - 5:59
    them as essentially two sides of the
  • 5:59 - 6:02
    same coin. Deterrent controls, and the name
  • 6:02 - 6:03
    itself kind of implies what the
  • 6:03 - 6:05
    definition is, deterrent controls are
  • 6:05 - 6:08
    meant to discourage behavior. You walk up
  • 6:08 - 6:11
    to a community or a house or an area
  • 6:11 - 6:13
    that's fenced off, it has a fence, it has
  • 6:13 - 6:15
    a gate, has a guard, has a big sign that
  • 6:15 - 6:18
    says do not trespass bad dog. Well that
  • 6:18 - 6:20
    hopefully is enough to deter you, to make
  • 6:20 - 6:22
    you make smarter choices and not decide
  • 6:22 - 6:23
    to try to go in there when you don't
  • 6:23 - 6:26
    belong or aren't invited. Whereas a
  • 6:26 - 6:28
    preventative control is meant to stop
  • 6:28 - 6:30
    you if you really don't make good
  • 6:30 - 6:32
    choices because the deterrence was not
  • 6:32 - 6:35
    enough. If we add to all those things I
  • 6:35 - 6:38
    just described, a layer, a series behind
  • 6:38 - 6:40
    that fence of guards that are standing
  • 6:40 - 6:42
    there waiting to capture you and escort
  • 6:42 - 6:44
    you off the property, then that's going
  • 6:44 - 6:47
    to prevent you from getting inside and
  • 6:47 - 6:49
    as a result, even if you make a bad
  • 6:49 - 6:51
    choice, we're going to stop you. And so
  • 6:51 - 6:53
    when we think about both deterrent and
  • 6:53 - 6:55
    we think about preventative controls, we
  • 6:55 - 6:57
    think about ways in which we can either
  • 6:57 - 6:59
    encourage you to make good choices or
  • 6:59 - 7:01
    stop you if you make bad choices. Let's
  • 7:01 - 7:04
    talk about compensating controls.
  • 7:04 - 7:07
    Compensating controls, these are designed
  • 7:07 - 7:09
    to step in and allow us to have a
  • 7:09 - 7:12
    secondary control, a backup system if you
  • 7:12 - 7:15
    will, that will prevent something bad
  • 7:15 - 7:17
    from happening because the primary
  • 7:17 - 7:19
    control that we were relying on for some
  • 7:19 - 7:21
    reason is not operable or has failed. So
  • 7:21 - 7:23
    if you imagine for instance that we have
  • 7:23 - 7:26
    a computer that runs normally, plugged
  • 7:26 - 7:28
    into our wall, getting power from the
  • 7:28 - 7:31
    power grid from the electricity provider,
  • 7:31 - 7:33
    the utility company, and everything is
  • 7:33 - 7:34
    fine except when there's a storm and the
  • 7:34 - 7:37
    power is interrupted. Well if we had a
  • 7:37 - 7:39
    compensating control, we would use a
  • 7:39 - 7:41
    backup battery solution, what we call a
  • 7:41 - 7:43
    UPS, an uninterruptible power supply,
  • 7:43 - 7:45
    where we plug the computer instead of
  • 7:45 - 7:47
    into the wall, into the battery box that
  • 7:47 - 7:49
    then is plugged into the wall. During
  • 7:49 - 7:51
    normal operations we get power directly
  • 7:51 - 7:52
    from the utility company, everything's
  • 7:52 - 7:55
    fine, but when the power cuts off we
  • 7:55 - 7:57
    still have power from
  • 7:57 - 7:58
    the batteries and the computer could
  • 7:58 - 8:00
    still be run safely for a period of time,
  • 8:00 - 8:02
    shutting it down, eliminating and
  • 8:02 - 8:04
    significantly reducing the likelihood
  • 8:04 - 8:06
    we're going to damage the data or damage
  • 8:06 - 8:08
    the system by shutting it down hard,
  • 8:08 - 8:10
    as we said, right, with no power all of
  • 8:10 - 8:11
    sudden just turning it off. So
  • 8:11 - 8:13
    compensating controls are meant to
  • 8:13 - 8:16
    offset the loss of a primary control and
  • 8:16 - 8:17
    the primary control could be one of the
  • 8:17 - 8:19
    other types whatever they are. Let's turn
  • 8:19 - 8:22
    our attention to detective controls. Well
  • 8:22 - 8:24
    detective controls are just like
  • 8:24 - 8:26
    detectives in real life. They look for
  • 8:26 - 8:28
    clues and they try to tell us and alert
  • 8:28 - 8:31
    us and show us that things are abnormal
  • 8:31 - 8:32
    and that we should pay attention to them
  • 8:32 - 8:35
    'cus likely something bad has happened or
  • 8:35 - 8:37
    is about to happen and we're seeing it
  • 8:37 - 8:39
    unfold in near real time. So detective
  • 8:39 - 8:42
    controls, just like Sherlock Holmes or
  • 8:42 - 8:44
    any detective that you like, are good
  • 8:44 - 8:46
    sleuths. They look for things and they
  • 8:46 - 8:48
    help us to uncover activity that's
  • 8:48 - 8:50
    probably going to be an issue for us and
  • 8:50 - 8:52
    then we want to take action to correct.
  • 8:52 - 8:54
    Corrective controls, having just said the
  • 8:54 - 8:56
    word, corrective controls are those
  • 8:56 - 8:59
    controls that allow us to take action
  • 8:59 - 9:00
    after something most likely has been
  • 9:00 - 9:03
    detected, some bad thing has happened, and
  • 9:03 - 9:04
    we want to put it right, we want to get
  • 9:04 - 9:07
    back to normal, we want to stop having
  • 9:07 - 9:10
    this issue and return operations to the
  • 9:10 - 9:12
    way they were before this occurred. Now
  • 9:12 - 9:15
    corrective and recovery controls are
  • 9:15 - 9:17
    also usually grouped together by the way
  • 9:17 - 9:20
    because recovery controls are like an
  • 9:20 - 9:22
    extension of corrective controls but
  • 9:22 - 9:23
    they have more features, more capability,
  • 9:23 - 9:25
    more depth. They're technically, in other
  • 9:25 - 9:28
    words, going to give us more options and
  • 9:28 - 9:29
    they're often used in combination with
  • 9:29 - 9:32
    corrective controls to, again, restore
  • 9:32 - 9:34
    systems and operations to normal after
  • 9:34 - 9:36
    some sort of bad event has occurred, but
  • 9:36 - 9:38
    to do so with more capabilities more
  • 9:38 - 9:41
    often than not. So these seven makeup our
  • 9:41 - 9:43
    types, group together into one of three
  • 9:43 - 9:45
    categories, and what we then have
  • 9:45 - 9:47
    ultimately is our ability to bring this
  • 9:47 - 9:50
    all together to shrink risk into a more
  • 9:50 - 9:53
    manageable size, hopefully minimizing it
  • 9:53 - 9:54
    enough that the impact to our
  • 9:54 - 9:57
    organization is negligible or certainly
  • 9:57 - 9:58
    less than it would have been otherwise.
  • 9:58 - 10:00
    You could see the size difference there
  • 10:00 - 10:02
    hopefully indicates that, and as a result
  • 10:02 - 10:04
    we live to fight another day. I've been
  • 10:04 - 10:06
    Adam Gordon talking to you about
  • 10:06 - 10:08
    security controls on behalf of ITProTV.
  • 10:08 - 10:09
    If you want to learn more about security
  • 10:09 - 10:11
    controls or any of the other thousands
  • 10:11 - 10:13
    of things we talk about and teach about
  • 10:13 - 10:15
    every day. I always want to invite you to
  • 10:15 - 10:17
    come and take a look over at ITProTV,
  • 10:17 - 10:19
    spend some time with us. Myself and all
  • 10:19 - 10:21
    my fellow edutainers are always up for
  • 10:21 - 10:23
    opportunities to spend time with you,
  • 10:23 - 10:24
    helping you to better understand your
  • 10:24 - 10:26
    world and making sure you have all the
  • 10:26 - 10:28
    knowledge you need to be successful. I'll
  • 10:28 - 10:30
    be back soon with another conversation
  • 10:30 - 10:32
    but until I am, I'll wish you happy
  • 10:32 - 10:36
    securing and I'll see you soon.
Title:
Security Controls - Types, Categories, and Functions
Description:
more » « less
Video Language:
English
Duration:
10:38

English subtitles

Revisions Compare revisions

Our website uses cookies for analysis purposes.