There 3 different internal security control classifications:
Preventative control is to prevent the breach or incident to happen in the first place, and here’s how you can do that.
- Hire the right kind of people and train them properly
- Physical access control where you can come in with a keycard, badge access, man-trap, etc.
- You must have detailed security policies. This tells you what you’re trying to do and if the policy is adequate for what you’re doing. A security policy can be a one-page document with just a few sentences or it can be as big as 30 pages with sub-sections from wireless control, lock on doors, and etc.
- It can also that we’re encrypting the software to protect it. For instance, we use Bitlocker on our laptops. We have NTFS permissions, share permissions, print permissions.
We have preventive controls here to keep people from accessing places they shouldn’t be in the first place.
The next one is detective control. Realizing we can’t prevent all the time, so what are the controls do we have in place to detect it if we couldn’t catch it up front and how do we detect it as it’s happening.
- This would of course include intrusion detection system
- As we go through the production line, there are checkpoints to see if we’re good at each checkpoint.
- Are there any overdue statement reports? This is how we detect that the money is due to us.
- Activity log reviews to detect access issues. So, we want to know who is accessing what.
These are the detective controls. If you’re detecting something, you must also have corrective controls. Now that you have detected it, what are you going to do about it?
- Some of it can be automated like the intrusion detection and intrusion prevention systems that detect abnormal traffic from the network and it automatically change the firewall rules. Of course, you have to be careful with automated correction like this.
- Contingency plan, diaster recovery plan, and good clean backups