In the third chapter of our series on the five key components of an effective cybersecurity management program, we take a deeper dive into the process of implementing cybersecurity controls and provide an overview of some leading cybersecurity control standards.
What are cybersecurity controls?
Cybersecurity controls include safeguards or countermeasures implemented by an organization to protect itself from an incident that may result in the compromise of electronic information. When discussing cybersecurity, a compromise of electronic information means any event that reduces the confidentiality, integrity, or availability of that electronic information. In a rapidly evolving technology and cybersecurity landscape, the conventional wisdom is that any organization can and will suffer a security incident—it’s a matter of when, not if. This very premise is what makes the strategic and effective implementation of cybersecurity controls so important.
Cybersecurity controls may be of several types. Some are preventive; some are detective. Some are automated with configurable technical safeguards; some are manual procedures. It is through an effective balance of cybersecurity controls across people, process, governance, and technology that an organization may not only enhance its ability to defend against a compromise, but also increase its ability to detect an inevitable security compromise while at the same time limiting its exposure and impact.
Cybersecurity controls may:
- Prevent – An organization performs these activities to make it more difficult for an attacker to compromise its systems, including vulnerability testing and server hardening, network segmentation, password hygiene, and user access provisioning controls.
- Detect – These controls include activities that an organization performs to discover security incidents in progress and alert them to cybersecurity support personnel. Detective controls may involve reviews of firewall and server logs, intrusion detection system (IDS) logs, and changes to system configurations.
- Respond – Response and recovery controls are critical as they are performed once a breach or other incident has occurred. These controls include the creation of an incident response plan: a communication plan to notify authorities, management and affected stakeholders (including end users, trading partners, and insurance carriers), an approach to restore affected services, performance of a root cause analysis of the compromise, and the implementation of controls or system changes to prevent a recurrence.
Seven steps to cybersecurity control implementation
When implementing cybersecurity controls, an organization should follow seven key steps:
- Select control standard – Several respected industry groups have prepared cybersecurity standards organizations can implement. [See the control standards sidebar for an overview.] Organizations can use these standards like a “controls catalog” to select the controls relevant for their specific risk profile and environment. The standards offer extremely useful guidance for organizations given their comprehensiveness. Organizations may not be fully aware of cybersecurity management processes and procedures. These standards offer critical insight into the specific controls that may be implemented as well as the management processes that an organization may follow to govern and oversee the cybersecurity efforts of the organization.
- Align controls with data classification and risk assessment – Following data classification (which we discussed in a previous article), an organization may decide to follow a risk-based approach to implement controls, i.e., more valuable assets require more protection than less valuable assets. Resources are limited for all organizations, so when planning for a cybersecurity control implementation, organizations will need to decide which controls offer the most efficient protection and work to implement those controls.
- Prioritize – Implementing cybersecurity controls can be a time-consuming and sometimes expensive process. For example, technical safeguards like encrypting data at rest and in processing may require application architecture changes; network segmentation could require the acquisition of new networking infrastructure. Other procedural changes may not have a hard cost associated with the implementation, but the changes could require significant resources and time to implement. Organizations will need to align anticipated control benefits with available resources and prioritize the order of implementation.
- Design controls – While control standards provide a “controls catalog” approach for organizations to follow, the specifics of how an organization will perform any given control need to be designed. For technical safeguards, device-specific configurations will need to be researched and defined. For manual procedures, discrete aspects like responsible performer, frequency of performance, required documentation, specific activities, and control documentation will need to be defined.
- Train control performers and users – Before controls can be successfully implemented, an organization must train control performers on their responsibilities. Additionally, if certain controls require end-user participation to help identify potential security incidents, the users will need to be trained and understand the role/responsibility expected of them.
- Implement – With all the planning, design, and training out of the way, this is the phase in which the control owners can put the new procedures into place and begin following the new controls. In the implement phase, robust technical configurations are put in place for applications, servers, and network infrastructure. For manual or procedural controls, organizations implement the new workflows, and review activities and performance documentation specified in the control designs.
- Integrate with monitoring function – A major challenge for all process implementation and improvement projects is ensuring the new processes continue to be performed over time. In the next article in this series, we’ll provide more detail on monitoring cybersecurity controls to help organizations ensure operational effectiveness.
Cybersecurity control standards
A variety of cybersecurity control standards exist. The sidebar includes a snapshot of the four most frequently utilized. It’s important to note that depending on an organization’s business environment, certain control standards may be required either by industry associations or government regulation. Before selecting a control standard to form the basis of an organization’s cybersecurity program, one needs to understand whether contractual obligations stipulate the use of a specific control standard. It’s also a good idea to discuss this with legal counsel to ensure any regulatory requirements are considered.
Implementing a risk-based selection of cybersecurity controls is a critical step in executing a cybersecurity management program. By selecting and employing a cybersecurity controls standard, an organization is better suited to protect against, identify, and respond to potential incidents that results in system compromise and data breach. The cybersecurity control standards contain thorough guidance that covers the entire lifecycle of cybersecurity management. By selecting and following these standards, an organization can be more confident in the completeness of its cybersecurity control environment and more easily answer the questions: Are we doing the right things? And are we in control?
Control standards snapshot
National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity: Mandated by executive order, this framework unifies many leading control standards, including NIST SP 800-53 and International Standardization Organization (ISO) 27000 Series, into a comprehensive framework for how organizations can improve the cybersecurity of critical infrastructure. The core of the framework groups control categories in terms of functions within the cybersecurity lifecycle: identify, protect, detect, respond, and recover. Control activity details can be found in the informative references associated with each control category.
Security and Privacy Controls for Federal Information Systems and Organizations (NIST 800-53): One of the most comprehensive, this standard for security controls is used by organizations doing business with the United States government. Recently, we’ve seen this gain more widespread acceptance. Categorized in terms of system impact, the control catalog specifies control baselines for high, moderate, and low impact systems.
ISO 27001: This international standard defines “requirements for establishing, implementing, maintaining, and continually improving an information security management system.” The ISO standard sets out the process an organization should follow when managing information security. Annex A of the standard provides detailed control objectives and controls for information security. The ISO 27001 certification only verifies the information security management system; it does not provide assurance on the implementation of controls specified within Annex A.
SANS Critical Security Controls: The SANS Institute prioritizes security functions with an emphasis on “what works” and defines the top twenty control areas for enhancing cybersecurity. Of the standards we’ve presented, this is aimed at a more technical audience. Each of the twenty control areas includes more than100 implementation activities organized into “quick win,” “visibility/attribution,” “configuration/hygiene,” and “advanced” categories. For organizations just starting to formalize a cybersecurity management program, the “quick win” controls throughout the standard are a great place to begin.
For more information on this topic, or to learn how Baker Tilly cybersecurity specialists can help, contact our team.