In my previous article we discussed four different internal controls: Preventative Controls, Detective Controls, Corrective Controls, and Compensating Controls. Let’s shift our focus into three other areas of Administrative, Physical, and Technical Controls.
Types of Administrative Controls
Administrative controls are the bible to your organization. Much thought should be given developing administrative controls. It’s the starting point for any organization.
- Policies and Procedures – Such as organizational directives for operations. Policies regarding privacy, acceptable use, passwords, hiring practices, employee supervision, termination, archival, backup, and recovery.
- Service Level Agreements (SLA) – Your organization may work with Cloud Providers or Software as a Service providers that support your operations. Your SLA deal with priorities, responsibilities, and guarantees for service providers your organization works with. They often contain metrics for availability, recovery and bandwidth.
- Security Related Awareness and Training – A very important control that helps reduce the human error that can result in a cyber security breach. These are mechanisms for broad communication and reinforcement of security policies and threat awareness.
- Change and Configuration Management – These are processes for documenting, assessing, and approving modifications to infrastructure, polices, and hardware, and software configurations of Information Technology or Operational Technology.
- Patch Management – These are your formalized procedures for routine updating of software and computer operating systems keeping them current and free of known vulnerabilities.
Common Technical Controls
These are the common technology controls that organization use. Note that this list is not covering every type of technical control. As technology develops to address growing cyber threats, more controls will be added to this list.
- Firewalls
- Network Segmentation
- Two-Factor Authentication (aka MFA)
- Encryption of Data
- User Credentials
- Access Control Lists
- Passwords
- Systems Logs
- Intruder Detection/Prevention Systems
- Security Event Management Systems
- Malware Detection
Common Physical Controls
These are your environmental controls for your buildings and grounds. The idea of protecting them is if a bad actor could gain physical control of your environment, they could take it out of service or perform other malicious actions. Depending on your organization, you may or may not need to implement all of these. However, they should be reviewed in light of your operations and what data you are protecting.
- HVAC Systems
- Fire Suppression
- EMI Shielding
- Environmental Monitoring
- Video Monitoring
- Fences, Gates, and Walls
- Lighting
- Access Cards
- Guards
- Locks
- Turnstiles and Mantraps
At this point it becomes obvious why a random Google search on the best cyber hygiene is woefully inadequate to protect your organization.
This prompts the question, where to find a source of controls that can help guide your organization to have good cyber hygiene.
The first area to look at is what regulation(s) your business is subject to. Regulatory laws point out what data you need to protect and from there you can develop your administrative, technical, and physical controls. One interesting development in cyber regulation is laws requiring certain controls or procedures being in place. For example, the California Consumer Privacy Act (CCPA) requires organizations to have procedures in place in handling customer requests asking for what data the company has on the customer, amongst other things.
However, following the law does not mean your organization has a complete Cyber Security Program. For example, say your organization takes credit cards and you are subject to the Payment Card Industry (PCI) standards for protecting credit card data. PCI Compliance only deals with protecting credit card data and the securing of the technology used to process cards. Most businesses have other operations that rely on technology such as Customer Relationship Management software. What are you doing to protect that technology which PCI Compliance doesn’t necessarily address?
Going beyond the world of regulation, there are Frameworks that you can engage in which will help you identify how to protect the critical assets of your organization.
National Institute of Standards and Technology is a good source to start with. NIST sets Frameworks for Cyber Security on the Federal and State Level. But many industries borrow or comply with NIST Frameworks. The NIST 800 series is an open source standard that is gaining more popularity in cyber security. It is very comprehensive and well known to IT Professionals.
For example you want to find out about Industrial Control System (ICS) Security, NIST has an entire framework where in you can read about ICS Security Architecture and determine from there what will work best for your organization.
In 2014 NIST came out with NIST Cybersecurity Framework 1.0 (updated to version 1.1 in April 2018) which apply the NIST recommended controls. It takes all the controls that apply to Federal Agencies and distills them into a more tenable list for private industries. It also introduces controls under different functions of Identify, Protect, Detect, Respond, and Recover. One thing to point out is in 2023 NIST is developing the next generation of cybersecurity frame called NIST Cybersecurity Framework 2.0. The 2.0 framework is set to be released sometime in 2024. All NIST Framework documents can be accessed here.
I have seen IT Professionals use the NIST Cybersecurity Framework to help a business better understand weaknesses in their cyber security program and use it as a guide to map a plan of improvement. For companies who outsource IT management and Cyber Security, one service you should ask about is if they use the NIST Cybersecurity Framework. Also, will they show you the results of their assessment so you have a big picture view of what you’re facing and what improvements you can make over time.
For companies not based in the United States or based in the USA but with international operations, International Organization for Standardization (ISO) is very popular in various industries. ISO 27001 is an international standard that provides requirements for an information security management system. It is part of the ISO/IEC 27000 family of standards which helps organization of all sectors and sizes to manage the security of assets. ISO standards can be used in different ways. They can be on the organizational level, specific departments, or specific services within the organization.
A third option is looking at your industry and seeing what frameworks have been developed by your competitors/peers. You can look at Trade Associations for guidance in this area. Another area to look into is joining a Information Sharing and Analysis Center (ISAC). Some ISAC’s have developed Frameworks or have information on specific Frameworks that are key to your industry. To find an ISAC for your industry contact the National Council of ISACs.
Good cyber hygiene is more than just a few talking points about controls. It’s a part of a comprehensive set of controls from a technology, administration, and physical standpoint unique to your organization. There are standards (i.e. Frameworks) you can follow which can help you better protect the critical assets of your company.
Image by Cottonbro Studio on Pexels.
