Information Technology security control Essay

There atomic number 18 a number of Information Technology security controls. The three most common ar fleshly, technical, and administrative controls however, many organizations break down administrative controls into two separate categories procedural and legal controls. Security controls are the means of enforcing security policies that reflect the organizations business requirements, (Johnson). Security controls are implemented to guarantee the information security C-I-A triad. Furthermore, security controls fall into three types of control classifications, they are preventive, detective and corrective. These classifications are use to specify when a security control applies. carnal Controls are exactly what they sound like, physical obstacles employ to prevent or deter find to IS resources.Physical controls can be barriers such as locked doors, requiring some sort of authentication/authorization command to enter, like a cipher lock or keycard. Biometric scanners are also e xcellent controls to identify and allow access to authorized personnel. Video cameras and closed-circuit television are also examples of physical controls. For organizations requiring extreme security measures, perimeter barriers such as walls or electric fences are used additionally, security guards fall into the physical controls category. Technical Controls are logical and/or software related controls designed to restrict access to the network infrastructure, components, and data. Controls such as discretionary, mandatory access controls, rule- and role-based access controls, and passwords are all examples of technical controls.Physical controls are used to prevent physical access to the physical components whereas technical controls are implemented to prevent digital/logical access if physical access is achieved. Some physical hardware can also fall under the technical control category because they contain the software utilized to prevent or allow access to the network componen ts such as firewalls and routers are examples. Administrative Controls can best be described as the paper-based controls designed to inform personnel who can do what, when, where, why and how. As stated above the administrative controls are sometimes broken down into two separate categories, procedural controls and legal controls.Procedural Controls are an organizations policies and procedures that all employees must follow for each specific circumstance for which they were written. Examples of these take security awareness and training, incident response plans, and change controls. Some of these procedures will include step-by-step instructions that must be adhered to handle each topic whereas others will be more general controls that may or may not relate to other policies. Legal Controls are controls that must be in place for organizations to operate. Compliance regulations/laws/standards fall into this category. Examples would include HIPAA and PCI DSS, GLBA, SOX, FERPA and CIP A. Administrative controls also protect the organization, by allowing to inform employees of the punitive measures that can/will happen for non-compliance violations, such as the Acceptable Use Policy.