Security monitoring | Intrusion detection systems |
Security policies | Security procedures |
Background checks for employees and partners | Security awareness training |
Access control policies | Least privilege access |
Multi-factor authentication for access | Incident response plans |
Security risk assessments | Security infrastructure |
Configuration management | Change control |
Physical security | Physical perimeter security |
Security architecture and landscaping | Secure storage |
Visitor management processes | Emergency response plans |
Security guards | Alarms and alert systems |
Access control systems | Surveillance systems |
Segregation of duties | Disaster recovery plans |
Security risk assessments | Patch management |
Encryption of all data in rest and transit | Secure architecture reviews |
Secure code reviews | Control and audit software installations |
Monitor and audit remote access | Incident communication and reporting |
Threat intelligence gathering | Asset inventory and health checks |
Retiring legacy technology | Secure storage of encryption keys |
Audit access management events | Compliance reporting |
Authentication
Employees are required to pass multi factor authentication before gaining access to offices.Audit Trail
A web server records IP addresses and URLs for each access and retains such information for a period of time as an audit trail.Training
Employees are trained in defensing computing on an annual basis.Peer Review
Design changes to a critical system require a secure code review.Communication
Employees are prohibited from attaching documents to internal emails as they can easily be misaddressed. Instead, employees send a link to a document management system that offers authentication and authorization.Incident Management
Any employee who loses an electronic device that has been used for work is required to report an incident immediately.Cryptography
Data in storage is encrypted on all devices.Passwords
Systems perform validation to ensure employees choose strong passwords.Processes
An IT governance process reviews security incidents on a monthly basis.Automation
A website places a three hour freeze on a customer's account if they get their password wrong five times. This dramatically reduces the potential for brute force attacks.Configuration Management
Changes to firewall rules require an approved change request.Security Testing
Major system software releases are required to undergo security testing.Segregation of duties
Segregation of duties is the design of authority such that no one employee can cause an information security incident.| Overview: IT Security Controls | ||
Type | ||
Definition | Actions that are taken as a matter of process, procedure or automation that reduce security risks. | |
Related Concepts | ||
