Information Security Controls

The security of information has become the most prevalent problem on Web today. NIST publication “NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems lists and defines this control

Management Controls deals with security project management and deals with design and implementation of policies, procedures and standards throughout the organization. These include provisions for risk management including assessing and identifying risk, evaluating risk controls, summarizing findings and then selecting a cost effective control and installing and implementing it within the organization. It also includes periodic and systematic review and evaluation of security policy within organization or with independent reviewers and policies for revision and approval of any changes as a result of those reviews. Major Management Controls are
1. Risk Management
2. Review of Security Controls
3. Life Cycle Maintenance
4. Authorization of Processing
5. System Security Plan


Operational Controls covers planning for incident response, disaster recovery and business continuity. These includes policies on reporting and escalating security incidents, preparing proper line of response, incident classification and evidence collection and reporting for knowledge sharing. It also includes procedures to ensure continuity of operation and restoration of company operations in the event of interruption or failure. The recovery plans needs to be constantly evaluated, updated and tested to keep up with the latest in business operations of the company. Provisions for physical security including access cards, gates etc, securing server and office rooms and facilities, security of media information when in transit, equipment protection and maintenance, cable security, disposal of equipments and information , removal of equipment from premises and public access to company’s information and assets are included in operational controls. Other important area it covers is security of company employees of protection of production and input output controls. Operational controls also ensure that all employees be trained and educated on information security and are aware of their responsibility in complying, maintaining and reporting any security breaches or incidents.
Major Operational Controls are
1. Personnel Security
2. Physical Security
3. Production, Input/Output Controls
4. Contingency Planning
5. Hardware and Systems Software
6. Data Integrity
7. Documentation
8. Security Awareness, Training, and Education
9. Incident Response Capability

Technical controls involve researching and selecting technology necessary to develop and implement security controls in an organization. These include technology for physical access (cards or password or combination of both), technology for remote access, policy for third party software, email and internet policies. These also include policy for remote monitoring, audit trails and automated audits for any information security incidents
Major Technical Controls are
1. Identification and Authentication
2. Logical Access Controls
3. Audit Trails