3 Understanding Security Controls
This chapter covers
- Categories of security controls
- Types of security controls
- Combining security controls to create defense in depth
Organizations implement security controls to reduce risk to an acceptable level. As discussed in the previous chapter, the specific security controls that apply to an asset depend on its nature. For example, corporate laptops require strong passwords, while a public Web site requires a firewall to block external threats. These controls—passwords and firewalls—are different, yet appropriate for the assets they protect. In addition to the characteristics of the asset, factors such as the value of the asset, its vulnerabilities, and the overall likelihood of risk must be considered.
Implementing security controls can be costly and disruptive to business operations. When selecting security controls, a balance should be sought between the expected risk and the cost of implementation. As organizations operate under budget constraints, it is critical to select the most effective security controls. In addition, these controls must be implemented in a way that supports, rather than hinders, the organization's business operations.