Security Controls Categorization

Question

I'm doing research about Information Security Controls. Considering that the topic is very wide, I would like to organize in macro categories the security controls that can be adopted by an enterprise to reduce the risk of attack.

For example:

Control Category 1: Vulnerability Assessment
Control Category 2: Patching
Control Category 3: Firewall & IPS

Is there any list of security controls or any categorization like this?

Have you done any research? There are multiple different frameworks. NIST CSF, ISO 27001, ISF GPG, CIS Top 20. There's quite a few. — schroeder, Jan 16 '20 at 22:49
I made a change in your question for you by changing "measures" to "controls". If you search "security controls" you will find what you are looking for. — schroeder, Jan 16 '20 at 22:53

score 1 · Accepted Answer · answered Jan 16 '20 at 22:08

There are several models already designed for you not to think precisely on categorisation of threats, but to create a safe architecture. The worldwide known entity about this is called NIST, who provides a Policy Framework about cibersecurity.

You can check out on the official site but not before getting an intro about NIST here and here (Wikipedia).

FYI, NIST is recognised worldwide, but it is still a national entity in the USA.

If you find it a little bit heavy, another alternative can be the Ishikawa model which categorises threats by kind and I’m not sure if provides strategical solutions for each sector.

Ishikawa diagram

I think there is no official site for this, but there is plenty of information about it anywhere.

Is NIST a worldwide entity? After all it is the national institute of standards and technology — Conor Mancone, Jan 17 '20 at 00:45
It isn’t, it is an entity in USA only. But they have a great trajectory, so they are recognised worldwide. — John, Jan 17 '20 at 00:48

score -1 · Answer 2 · answered Jan 16 '20 at 21:50

I would start with physical access control. If an attacker gets a physical access ...

... to your office rooms, he may find sensitive information that will enable an attack (like your network topology including firewalls, gateways, etc.), or even information about your security policies
... to server rooms (if you have servers), he can compromise your hardware, attach his malicious hardware
... to your network rooters/switches, network wires or sockets, he can attach malicios devices to your network and e.g. use sniffers and prepare an attack
etc.

In these cases other measures like patches or firewalls can be ineffective. That's why I would put physical access control on the first place.

Security Controls Categorization

2 Answers2