MCITP MCSE Boot Camp

Organizational Controls

Organizational controls are procedures and processes that define how people in the organization should perform their duties.

Preventative controls in this category include:

• Clear roles and responsibilities. These must be clearly defined and documented so that management and staff clearly understand who is responsible for ensuring that an appropriate level of security is implemented for the most important IT assets.
• Separation of duties and least privileges. When properly implemented, these ensure that people have only enough access to IT systems to effectively perform their job duties and no more.
• Documented security plans and procedures. These are developed to explain how controls have been implemented and how they are to be maintained.
• Security training and ongoing awareness campaigns. This is necessary for all members of the organization so that users and members of the IT team understand their responsibilities and how to properly utilize the computing resources while protecting the organization's data.
• Systems and processes for provisioning and de-provisioning users. These controls are necessary so that new members of the organization are able to become productive quickly, while leaving personnel lose access immediately upon departure. Processes for provisioning should also include employee transfers from groups within the company where privileges and access change from one level to another. For example, consider government personnel changing jobs and security classifications form Secret to Top Secret, or vice versa.
• Established processes for granting access to contractors, vendors, partners, and customers. This is often a variation on user provisioning, mentioned previously, but in many cases it is very distinct. Sharing some data with one group of external users while sharing a different collection of data with a different group can be challenging. Legal and regulatory requirements often impact the choices, for example when health or financial data is involved.

Detection controls in this category include:

• Performing continuing risk management programs to assess and control risks to the organization's key assets.
• Executing recurrent reviews of controls to verify the controls' efficacy.
• Periodic undertaking of system audits to ensure that systems have not been compromised or misconfigured.
• Performing background investigations of prospective candidates for employment; You should contemplate implementing additional background investigations for employees when they are being considered for promotions to positions with a significantly higher level of access to the organization's IT assets.
• Establishing a rotation of duties, which is an effective way to uncover nefarious activities by members of the IT team or users with access to sensitive information.

Management controls in this category include:

• Incident response planning, which provides an organization with the ability to quickly react to and recover from security violations while minimizing their impact and preventing the spread of the incident to other systems.
• Business continuity planning, which enables an organization to recover from catastrophic events that impact a large fraction of the IT infrastructure.

Operational Controls

Operational controls define how people in the organization should handle data, software and hardware. They also include environmental and physical protections as described below.

Preventative controls in this category include:

• Protection of computing facilities by physical means such as guards, electronic badges and locks, biometric locks, and fences.
• Physical protection for end-user systems, including devices such as mobile computer locks and alarms and encryption of files stored on mobile devices.
• Emergency backup power, which can save sensitive electrical systems from harm during power brownouts and blackouts; they can also ensure that applications and operating systems are shut down gracefully manner to preserve data and transactions.
• Fire protection systems such as automated fire suppression systems and fire extinguishers, which are essential tools for guarding the organization's key assets.
• Temperature and humidity control systems that extend the life of sensitive electrical equipment and help to protect the data stored on them.
• Media access control and disposal procedures to ensure that only authorized personnel have access to sensitive information and that media used for storing such data is rendered unreadable by degaussing or other methods before disposal.
• Backup systems and provisions for offsite backup storage to facilitate the restoration of lost or corrupted data. In the event of a catastrophic incident, backup media stored offsite makes it possible to store critical business data on replacement systems.

Detection and recovery controls in this category include:

• Physical security, which shields the organization from attackers attempting to gain access to its premises; examples include sensors, alarms, cameras, and motion detectors.
• Environmental security, which safeguards the organization from environmental threats such as floods and fires; examples include smoke and fire detectors, alarms, sensors, and flood detectors.

Technological Controls

Technological controls vary considerably in complexity. They include system architecture design, engineering, hardware, software, and firmware. They are all of the technological components used to build an organization's information systems.

Preventative controls in this category include:

• Authentication. The process of validating the credentials of a person, computer, process, or device. Authentication requires that the person, process, or device making the request provide a credential that proves it is what or who it says it is. Common forms of credentials are digital signatures, smart cards, biometric data, and a combination of user names and passwords.
• Authorization. The process of granting a person, computer process, or device access to certain information, services, or functionality. Authorization is derived from the identity of the person, computer process, or device requesting access, which is verified through authentication.
• Nonrepudiation. The technique used to ensure that someone performing an action on a computer cannot falsely deny that he or she performed that action. Nonrepudiation provides undeniable proof that a user took a specific action such as transferring money, authorizing a purchase, or sending a message.
• Access control. The mechanism for limiting access to certain information based on a user's identity and membership in various predefined groups. Access control can be mandatory, discretionary, or role-based.
• Protected communications. These controls use encryption to protect the integrity and confidentiality of information transmitted over networks.
• Detection and recovery controls in this category include:
• Audit systems. Make it possible to monitor and track system behavior that deviates from expected norms. They are a fundamental tool for detecting, understanding, and recovering from security breaches.
• Antivirus programs. Designed to detect and respond to malicious software, such as viruses and worms. Responses may include blocking user access to infected files, cleaning infected files or systems, or informing the user that an infected program was detected.
• System integrity tools. Make it possible for IT staff to determine whether unauthorized changes have been made to a system. For example, some system integrity tools calculate a checksum for all files present on the system's storage volumes and store the information in a database on a separate computer. Comparisons between a system's current state and its previously-known good configuration can be completed in a reliable and automated fashion with such a tool.

Management controls in this category include:

• Security administration tools included with many computer operating systems and business applications as well as security oriented hardware and software products. These tools are needed in order to effectively maintain, support, and troubleshoot security features in all of these products.
• Cryptography, which is the foundation for many other security controls. The secure creation, storage, and distribution of cryptographic keys make possible such technologies as virtual private networks (VPNs), secure user authentication, and encryption of data on various types of storage media.
• Identification, which supplies the ability to identify unique users and processes. With this capability, systems can include features such as accountability, discretionary access control, role-based access control, and mandatory access control.
• Protections inherent in the system, which are features designed into the system to provide protection of information processed or stored on that system. Safely reusing objects, supporting no-execute (NX) memory, and process separation all demonstrate system protection features.

When you consider control solutions you may also find it helpful to review the "Organizing the Control Solutions" section in Chapter 6, "Implementing Controls and Measuring Program Effectiveness." This section includes links to a variety of prescriptive guidance that was written to help organizations increase the security of their information systems.

Woodgrove Example: The first risk, the risk that financial adviser user credentials could be stolen while logging on to the LAN, might be addressed by requiring users to authenticate using smart cards when connecting locally to the corporate network.

The second risk, the risk that financial adviser user credentials could be stolen while logging on to the network remotely, might be addressed by requiring all users to authenticate using smart cards when connecting remotely to the corporate network. Record each of the proposed controls for each risk in the "Proposed Control" column in SRMGTool3-Detailed Level Risk Prioritization.xls.