There are many different flavors of controls, so be sure to understand them all. Starting with what they do:
Preventive – tries to prevent something bad from happening, like a fence
Detective – tries to identify/notify when something bad actually happens, like an audit log
Corrective – tries to fix or recover from the bad thing that happened, like terminating an employee
Controls can also be placed into categories:
Management – refers to policy or human related controls, such as policy development
Operational – relating to processes or day-to-day operations, such as account provisioning
Technical – something that technology handles, such as authentication
Another category method puts the controls into the following:
Physical – related to facilities, such as the fence previously mentioned
Administrative – related to policies and people processes, such as the hiring/firing process
Technical – related to or controlled by technology, such as the audit logging capabilities
And the last few:
Common or Inheritable – related to things that are controlled at the higher level and applicable across the organization.
Tailored controls – when the control is tuned for a specific standard or use-case, such as adding a 60-day threshold to the control “user accounts must expire [after 60 days of inactivity]” instead of “user accounts must expire [at an organization-defined frequency]”.
Controls can be evaluated in three ways:
- Testing – live interaction with the system
- Interviewing – staff and management to verify the controls
- Examining – documents that prove how the control was implemented
Control Selection for Security and Privacy
Organizations can select security and privacy controls using various frameworks. As outlined in the “Select” step of the Process chapter in the NIST Risk Management Framework (RMF), there are two primary approaches for the initial selection of security and privacy controls: baseline control selection and organization-generated control selection.
Baseline Control Selection Approach
This method utilizes predefined control baselines, which are curated sets of controls designed to address the protection needs of a specific group, organization, or community. These baselines serve as a foundational starting point for safeguarding individuals’ privacy, information, and information systems. A key advantage of this approach is that it promotes consistency across a broad community of interest.
Organization-Generated Control Selection Approach
Unlike the baseline approach, this method does not rely on a predefined set of controls. Instead, the organization develops its own selection process to identify appropriate security and privacy controls. This approach is particularly useful for specialized systems, such as weapons systems or medical devices, or for systems with a narrow scope, like smart meters. In such cases, a bottom-up approach—where controls are selected specifically for the system—can be more efficient and cost-effective than a top-down approach, where controls from a broad-based baseline are tailored by removing unnecessary elements.
Regardless of the approach used, organizations define a comprehensive set of security and privacy requirements through a life cycle–based systems engineering process, such as ISO 15288 or NIST SP 800-160 Vol. 1.