The InfoSec Guide to the 10 Types of Information Security Controls

Have you ever managed to extract a file folder from a locked filing cabinet? Most likely not. That lock is a simple example of an information security control. Computers are no different, except that information security controls today are significantly more sophisticated. 

And they need to be, as cyber threats are causing massive disruptions worldwide. Ransomware incidents increased by a staggering 60% from 2022 to 2023. There was also a 49% jump in overall cybercrime losses, from $6.9 billion in 2021 to $10.3 billion in 2022.

Information security controls help detect cyber threats, prevent them from damaging information assets, and correct damage if it occurs. 

The 3 Principles of Information Security 

Understanding information security controls must begin with understanding the purpose of information security. The term “Information Security” (InfoSec) dates back to old-school nerdiness in the era of crewcuts and pocket protectors. As prehistoric as these people may have been, they had a clear and still extremely useful way to define the purpose of InfoSec.

They came up with three core goals for information security:

• Confidentiality—Information security efforts should endeavor to keep information private, ensuring that only those with permission can access a given data set.
• Integrity—The information in computer systems should have integrity, meaning that users can be confident that it has not been modified or selectively deleted by accident or malicious act.
• Availability—Information should be available to users to the greatest extent possible, ideally 100% of the time. 

The three goals are known as the “CIA Triad.” They underpin nearly every aspect of cybersecurity and form the foundation for information security controls. Today, the CIA Triad applies to software, data storage, networks, cloud-based systems, SaaS security, and virtually any other digital asset in cyberspace. 

What are Information Security Controls

Information security control is a safeguard that realizes some aspects of the CIA Triad. For confidentiality, for example, you might implement a control that uses an identity and access management (IAM) system to block unauthorized users from data you want to keep confidential. 

Some organizations set up their controls under a control framework, such as the National Institute of Standards (NIST) Cybersecurity Framework (NIST CSF) or ISO 27001. These frameworks suggest dozens of controls, and consultancies and auditors work with organizations in their implementation. 

Each information security control has a “Control Objective,” which states the purpose of the control. For example, NIST CSF has a control for “Identity Management and Access Control (PR.AC),” whose objective holds that “Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access.”

Following the control objective, each control has a set of control activities that realize the objective. PR:AC, for instance, has six sub-categories of control activity that support fulfilling the control objective. One of these sub-categories is PR.AC-1, which requires an organization to deploy a solution so that “Identities and credentials are issued, managed, revoked, and audited for authorized devices, users, and processes.” In practice, this means some sort of IAM system.

It may seem overly elaborate to require a control objective and a list of control activities to operationalize the CIA Triad. A small organization might not need to go through the whole hassle. However, working off an information security controls framework is beneficial for most organizations. The framework provides a coherent and complete approach to implementing controls that make the CIA Triad do its job of protecting your data. 

Without the coherence and thoroughness of a framework and its associated objectives and activities, you’ll likely have control gaps that create risk exposure. 

10 Types of Information Security Controls

Getting more granular, there are three categories of control functions: Preventive, detective, and corrective. These control functions deal with preventing attacks on information assets, detecting attacks, and correcting the effects of attacks, respectively. Controls also vary by type, with some controls being physical, such as locks; technical, such as web application firewalls; and administrative, such as data access policies. 

Effective cybersecurity posture comes from deploying a well-thought-through and balanced mix of these functions and types. Controls may be layered, supporting a “defense in depth” security strategy. With that in mind, here are ten types of information security controls that are common across the three control functions:

Preventative Controls 

1. Access controls

Access controls prevent the wrong people from accessing data, networks, SaaS apps, and other system components. They are crucial because unauthorized access is one of the most common cyber risks. Many IAM tools can help you build a robust identity governance framework and implement comprehensive access controls such as multi-factor authentication (MFA) or behavior analytics.

2. SaaS security controls

SaaS apps are new territory for information security controls, mainly because traditional controls don’t cover SaaS well. For example, you can have a practical set of access controls for your network, but they won’t do much to prevent a malicious actor from logging into a SaaS app. 

SaaS apps have their own built-in access management features. These apps will remain vulnerable unless you deploy specialized SaaS security tools that map the established access control list to SaaS. 

Other preventive cyber security controls specific to SaaS include monitoring and remediating misconfigured SaaS apps exposed to threats and policy-based controls that govern who has administrative back-end access to SaaS apps.

3. Data protection controls

Cyber attackers tend to be after data to steal, spy on, or ransom it. Data protection controls like data monitoring and data encryption are, therefore, among the more critical information security controls in force at an organization. Data encryption, for instance, makes data unusable to attackers, preventing the worst outcome of a data breach. 

Ransomware protections, such as immutable backups and logical air gaps, are preventive data protection controls. They make it harder for a ransomware attacker to achieve his objective of encrypting data and ransoming it.

4. Patch management

Some of the worst cyber attacks exploit vulnerabilities that could have been fixed with software patches but weren’t. A patch management regimen is a preventive policy-based control to reduce the likelihood of this outcome. It is usually implemented through a combination of processes and tools. For example, the policy may require you to apply all software patches as they are announced. In practice, this encompasses patch testing and patching prioritization. 

Detective Controls

5. Intrusion detection controls

Intrusion detection controls aim to discover when an attacker is trying to gain unauthorized entry into a system—and then alert the right people or even mitigate the threat automatically. Many intrusion detection systems (IDSs) can fulfill the control objective, though some suffer from false positives and excessive alerting. The new generation of IDSs uses AI to improve accuracy by flagging only actual intrusion attempts.

6. Anomalies and events detection controls

It may be possible to detect an attack by analyzing events occurring in the IT estate and flagging anomalies for investigation. For example, suppose a user located in the United States appears to be logging into a SaaS app from Europe. In that case, that anomaly might indicate that an attack is underway. 

Detective controls in this category may monitor device logs (think of network firewalls or endpoints) and flag suspicious activities for security analysts to examine. Some advanced threat detection tools will automatically mitigate the threats they detect, such as quarantining a device.

7. Vulnerability and misconfiguration scanning

Devices and applications must be configured for security. For example, you can “harden” a server by limiting who can install new software. It is very possible, unfortunately, for a device or application to be misconfigured, making it vulnerable to threats. 

This is a particular concern with SaaS because each SaaS app has its security configurations, and in many cases, individual end users can change these configurations. They can, for example, make data accessible to anyone, not just employees of the organization. 

SaaS security platforms like Suridata can facilitate the implementation of this control by enabling system owners to scan multiple SaaS apps and detect security misconfiguration vulnerabilities that expose the apps to risk. 

Corrective Controls 

8. Incident response plans

An incident response plan is a corrective control that counteracts the impact of a cybersecurity incident. Like most corrective controls, it works in tandem with a detective control. When a detective control signals that an incident has occurred, that triggers the incident response plan, which corrects the incident by quarantining compromised endpoints, reinstalling infected software, or notifying key stakeholders. 

9. Disaster recovery plans

Disaster recovery plans are a vital part of any cyber threat intelligence framework. The control objective of disaster recovery (DR) plans is to support the availability of systems and data. A good DR plan restores data and system functionality in a cyberattack or any other event that causes an outage.

10. Data backups

A data backup serves as a corrective control in case of a data breach or outage affecting data availability. By backing up data and providing the ability to restore it in the wake of an attack, the control mitigates the effect of the breach and realizes the control objective of data availability. 

Getting The CIA Triad Under Control, Everywhere

Information security controls are essential for preventing, detecting, and correcting security incidents that adversely affect data and systems’ confidentiality, integrity, and availability. Whether you implement them ad hoc or endeavor to operationalize a large-scale controls framework like NIST CSF, you will always be dealing with the same issues: What is the control objective, and what activities will it take to attain it?

SaaS can be a challenging environment for information security controls. Apps are freestanding and delivered by external entities. Individual end users may be able to set their controls—often at odds with organizational security policy and even common sense. 

New SaaS security solutions like Suridata can improve this risky setup.  By monitoring the entire SaaS environment and flagging data at risk and insecure misconfigurations, they provide the basis for defining and implementing information security controls for SaaS apps. Learn more about Suridata.