Big Picture
Information security protects data and systems from:
- Unauthorized access
- Theft
- Damage
- Attacks
- Misuse
The goal is to preserve the CIA Triad:
+-------------------+
| Information |
| Security |
+-------------------+
/ | \
/ | \
/ | \
Confidentiality Integrity Availability
- Confidentiality → Only authorized people can access data.
- Integrity → Data remains accurate and unmodified.
- Availability → Systems and data remain accessible when needed.
Security Governance & Risk Management
Cybersecurity is not just a technical issue.
It is part of:
Business Goals
|
v
Risk Management
|
v
Security Policies
|
v
Security Controls
|
v
Protection of Systems & Data
Organizations use:
- Policies
- Frameworks
- Standards
- Procedures
- Security controls
to manage risks consistently.
Security Controls
A security control is anything used to protect:
- Systems
- Networks
- Applications
- Data
- Buildings
- Users
Security controls help achieve:
- Confidentiality
- Integrity
- Availability
- Non-repudiation
Security Control Categories
Controls are grouped by how they are implemented.
Security Controls
|
------------------------------------------------
| | | |
Managerial Operational Technical Physical
1. Managerial Controls
Focus on oversight, governance, and planning.
Examples
- Risk assessments
- Security policies
- Compliance audits
- Control evaluation tools
Purpose
Management decides:
- What risks exist
- Which controls are needed
- How security should be governed
Management
|
v
Policies -> Risk Decisions -> Security Strategy
2. Operational Controls
Implemented mainly by people and processes.
Examples
- Security guards
- Employee awareness training
- Incident response procedures
- Backup procedures
Purpose
Human-driven security operations.
People + Procedures
|
v
Operational Security
3. Technical Controls
Implemented using:
- Hardware
- Software
- Firmware
Examples
- Firewalls
- Antivirus
- IDS/IPS
- Encryption
- Access Control Lists (ACLs)
Purpose
Automated technical protection.
System Protection
|
+--> Firewall
+--> Antivirus
+--> Encryption
+--> Access Control
4. Physical Controls
Protect physical assets and facilities.
Examples
- Cameras
- Locks
- Alarms
- Gates
- Lighting
- Security guards
Purpose
Prevent physical unauthorized access.
Building Security
|
+--> Locks
+--> Cameras
+--> Alarms
Functional Types of Security Controls
Controls are also categorized by what they do.
Functional Types
|
------------------------------------------------
| | | | |
Preventive Detective Corrective Directive Deterrent
\
-> Compensating
1. Preventive Controls
Stop attacks before they happen.
Attack Attempt
|
X Prevented
Examples
- Firewalls
- ACLs
- MFA
- Antivirus
- Patch management
- SOPs
Key Idea
Reduce the likelihood of a successful attack.
2. Detective Controls
Detect attacks while they happen.
Attack Happening
|
v
Detection & Logging
Examples
- Logs
- SIEM systems
- IDS
- Security cameras
Key Idea
Visibility and monitoring.
3. Corrective Controls
Reduce damage after an incident.
Attack Occurs
|
Damage Happens
|
Recovery & Restoration
Examples
- Backups
- Disaster recovery
- System restore
- Reimaging systems
Key Idea
Recovery and remediation.
4. Directive Controls
Tell users what they must do.
Examples
- Policies
- SOPs
- Employee contracts
- Security awareness training
Rules
|
v
Expected Behavior
5. Deterrent Controls
Discourage attackers psychologically.
Examples
- Warning signs
- Security notices
- Legal banners
- Visible cameras
Attacker Sees Warning
|
v
"Maybe I shouldn't continue"
6. Compensating Controls
Alternative protection when the main control cannot be used.
Example
A legacy system cannot be patched:
Cannot Patch System
|
v
Network Segmentation
|
v
Reduced Exposure
Key Idea
Different method, same protection goal.
Security Policy
A security policy is the formal document describing:
- How security is implemented
- What users must do
- How systems are protected
It supports the CIA triad.
Security Policy
|
+--> Rules
+--> Responsibilities
+--> Standards
+--> Procedures
Organizations with strong policies and frameworks usually have:
- Better security posture
- Better compliance
- Lower risk exposure
Information Security Roles
Security responsibilities are distributed across the organization.
CIO — Chief Information Officer
Overall responsibility for IT.
CIO
|
+--> IT Strategy
+--> IT Governance
+--> Business Alignment
CTO — Chief Technology Officer
Focuses on technology innovation.
Responsibilities
- Emerging technologies
- Technical strategy
- Technology adoption
CSO / CISO
Dedicated security leadership.
Responsibilities
- Security governance
- Risk management
- Cybersecurity strategy
- Incident oversight
CISO
|
+--> Security Policies
+--> Security Teams
+--> Compliance
+--> Risk Management
ISSO — Information Systems Security Officer
Technical implementation role.
Responsibilities
- Monitoring systems
- Applying controls
- Managing access
- Security operations
Managers
Responsible for specific domains.
Examples
- Finance systems
- Web services
- Physical facilities
Employees
Everyone shares responsibility.
Responsibilities
- Following policies
- Reporting incidents
- Maintaining security awareness
Information Security Competencies
Security professionals require broad skills.
Cybersecurity Professional
|
------------------------------------------------
| | | | |
Risk Systems Access Incident Business
Mgmt Security Control Response Continuity
Typical Activities
- Risk assessments
- Secure system configuration
- Access management
- Audit log monitoring
- Incident response
- Disaster recovery planning
- Security awareness training
Security Business Units
SOC — Security Operations Center
Centralized security monitoring team.
+----------------+
| SOC |
+----------------+
/ | \
/ | \
Monitor Detect Respond
Responsibilities
- Continuous monitoring
- Threat detection
- Incident response
- Security operations oversight
Usually found in:
- Governments
- Large enterprises
- Healthcare organizations
DevSecOps
Integration of:
- Development
- Operations
- Security
Traditional:
Development -> Operations -> Security
DevSecOps:
Development <-> Operations <-> Security
(continuous collaboration)
Shift Left Concept
Security is added early in development.
Requirements
|
Design
|
Development
|
Testing
|
Deployment
Security at EVERY stage
Instead of security being added at the end.
Incident Response Teams
Dedicated teams for handling security incidents.
Common Names
- CIRT
- CSIRT
- CERT
Responsibilities
- Incident handling
- Investigation
- Coordination
- Recovery
Incident Detected
|
v
CSIRT Activated
|
----------------
| | |
Analyze Contain Recover
Security Frameworks
Frameworks provide:
- Best practices
- Standards
- Checklists
- Governance models
They help organizations:
- Build policies
- Select controls
- Meet compliance requirements
Gap Analysis
Organizations compare:
Current Security State
VS
Required Framework State
to identify:
- Missing controls
- Weaknesses
- Training needs
- Improvement goals
Building a Strong Security Posture
Strong Security Posture
|
------------------------------------------------
| | | | |
Policies Controls Roles Training Monitoring
Recommended Security Process
1. Define Mission & Policies
|
2. Assign Roles & Responsibilities
|
3. Identify Risks & Compliance Needs
|
4. Select Security Framework
|
5. Implement Controls
|
6. Monitor & Detect Threats
|
7. Respond & Recover
|
8. Perform Gap Analysis & Improve
Quick Memory Trick
Categories = HOW implemented
| Category | Focus |
|---|---|
| Managerial | Oversight |
| Operational | People |
| Technical | Technology |
| Physical | Buildings & hardware |
Functional Types = WHAT they do
| Type | Timing |
|---|---|
| Preventive | Before attack |
| Detective | During attack |
| Corrective | After attack |
| Directive | Enforce behavior |
| Deterrent | Discourage attackers |
| Compensating | Alternative protection |
Easy Story to Remember
Imagine a company building:
Physical Controls
= Locks & cameras on doors
Technical Controls
= Firewall & antivirus
Operational Controls
= Guards & procedures
Managerial Controls
= Policies & risk decisions
During an attack:
Preventive -> blocks attacker
Detective -> notices attacker
Corrective -> restores systems
And:
Directive -> tells employees rules
Deterrent -> scares attackers away
Compensating -> backup solution