What is it?
A set of guidelines designed to protect an organization’s information security, safeguarding the standards of confidentiality, integrity, and availability (CIA).
Why is it important?
Controls are important because, without them, an organization has no guidelines for protecting information and assets.
Why does a business professional need to know this?
The primary cybersecurity function is to protect data, which includes keeping people who should not have access away from data (confidentiality), ensuring that data is not altered by unauthorized entities (integrity), and maintaining an environment that makes data accessible when it is needed (availability).
Cybersecurity controls provide guidance to specialists, helping them protect the security environment. These controls fall into various categories, including the following:
- Physical: the organization must provide locks on doors
- Technical: users must use passwords to access systems
- Regulatory/legal: the authorities must be notified if a breach is detected
As part of the process of protecting an organization’s data, an analyst uses a checklist of controls to ensure that proper security measures are applied so that only authorized persons or processes have access to the organization’s data and assets.
These controls are developed mainly by government entities such as the US National Institute of Standards and Technology (NIST). NIST has developed the Risk Management Framework (RMF), a roadmap for an organization to follow to properly secure its cybersecurity stance. The RMF asks cybersecurity specialists to assign risk based on the type of system to be secured (i.e., a larger network connected to the internet or a smaller, disconnected stand-alone network). The larger, connected network would have more or different controls applied, since there is more risk of a breach. The disconnected network, while still needing protection, would require less stringent controls.