Thursday, March 06, 2008

Controls Help Mitigate and Reduce Risks

Controls are administrative, management, technical, and legal methods that are used to manage risk. Controls include policies, procedures, programs, techniques, technologies, guidelines, and organizational structures. They help an organization comply with standards by addressing information security risks, information confidentiality, integrity, and availability.

Security policies and control objectives express management’s commitment to the implementation, maintenance, and improvement of its information security management system. Leading organizations use best-practice information security control measures to satisfy the stated control objectives. Standards frequently do not mandate specific controls, but leave it to the users to select and implement controls that suit them, using a risk-assessment process to identify the most appropriate controls for their specific requirements. Organizations are typically free to select controls as long as their control objectives are satisfied.

Leading organizations follow a Plan, Do, Check, and Act process:

  • Plan – planning

  • Do – implement, operate, and maintain

  • Check - monitor, audit, and review

  • Act – continual improvement
An example of a control standard is ISO/IEC 27002:2005 Information technology -- Security techniques -- Code of Practice for Information Security Management. Network and security assessments are part of the "Check" process and help ensure you have the proper controls in place and they are functioning as desired.

Labels: , , ,