A security control framework is a collection of security controls and implementation and audit guidelines well-organized as a template or solution for organizations to mitigate risks.
- According to NIST SP 800-160 Vol. 1, security control, aka safeguard or countermeasure, is “a mechanism designed to address needs as specified by a set of security requirements.” A mechanism is “a process or system that is used to produce a particular result.” It can be technology- or nontechnology-based, e.g., apparatus, device, instrument, procedure, process, system, operation, method, technique, means, or medium.
- Specifically, security controls refer to “the management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.” (FIPS 199)
I created the Peacock model as a metaphor for an information system and introduced it in my book, The Effective CISSP: Security and Risk Management.
Risk assessment and risk treatment are two of the most significant risk management activities. Security controls can be viewed as risk treatment. Security controls are typically implemented using a defense-in-depth strategy (Onion) to protect the Peacock and enforce confidentiality, integrity, and availability.
A security control framework provides a security control baseline as the initial scope, that can be tailored to meet the organizational needs.
Terms and Definitions
- SECURITY OBJECTIVE: Confidentiality, integrity, or availability. [FIPS Publication 199]
- INFORMATION: An instance of an information type. [FIPS Publication 199]
- INFORMATION SECURITY: The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. [44 U.S.C., SEC. 3542]
- INFORMATION SYSTEM: A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. [44 U.S.C., SEC. 3502]
- INFORMATION RESOURCES: Information and related resources, such as personnel, equipment, funds, and information technology. [44 U.S.C., SEC. 3502]
- VULNERABILITY: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. [CNSS Instruction 4009 Adapted]