Security Controls

As a security professional, we don’t implement security controls for no reason. We have specific control objectives to achieve by implementing security controls as risk treatments to enforce the CIA security objectives (confidentiality, integrity, and availability).

Control Objectives

Control objectives direct the planning, implementation, and evaluation of security controls. They provide specific targets for auditors to evaluate the effectiveness of security controls. Besides, they can be classified so that risk practitioners can identify risks based on the taxonomy; for example, Compliance, Financial Reporting, Strategic, Operations, or Unknown.

Security Control Taxonomy

We implement a security control as a risk treatment measure to achieve certain security objectives; therefore, It is common to classify security controls based on security objectives. The categorization of administrative, technical, and physical are the most well-known as it is mentioned in HIPAA.

For example, given two questions as follows:

1. Is a biometric-based system that controls the access to a computer a technical or physical control/safeguard?
2. Is a biometric-based system that controls the access to the computer room a technical or physical control/safeguard?

The control objective of question No. 1 lies in mediating  logical access to “information” though authentication on the computer device, e.g., fingerprint, while the control objective of question No. 2 is controlling physical access to “information systems” or “facilities.”

If we categorize security controls based on the target assets to be protected that are primary components of the security objective, we can conclude that the answer to the first question is technical, while the second is physical. That’s why technical controls are also known as logical controls compared with the physical controls.

So, is a biometric-based system a technical or physical control?

The following two posts are worth your thoughts:

• CISSP PRACTICE QUESTIONS – 20191221
• HIPAA SAFEGUARDS

References

1. Control objectives
2. Understanding Your SOC 1 Audit Report: What are Control Objectives?
3. So What Actually Are Control Objectives?

HIPAA

According to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the safeguards are grouped into three categories: administrative, physical, and technical.

The HIPAA Privacy and Security Rule

The Centers for Medicare & Medicaid Services (CMS) issues regulations, known as the Privacy Rule and Security Rule, to specify security controls applicable to those entities covered by HIPAA.

The Privacy Rule, primarily, addresses how PHI (Protected Health Information) can be used and disclosed, while the Security Rule, as a subset of the Privacy Rule, applies specifically to electronic PHI or ePHI.

HIPAA Safeguard Definitions

Administrative

The Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”

Technical

The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”

Physical

The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

References

1. Security Standards: Administrative Safeguards
2. Security Standards: Technical Safeguards
3. Security Standards: Physical Safeguards
4. HIPAA SECURITY SERIES LIST [LINKS TO ALL 7 HHS DOCUMENTS]

• Enrollment is the process of registering a subject in a directory and binding the secrecy (or authenticator) to its identity after identity proofing (if necessary).
• Entitlement is the process of granting privileges (permissions + rights), also known as authorization.
• They are parts of the identity provisioning.

以下針對聯合新聞網的報導表達我的看法. 該報導是2019-12-18 10:18聯合報 主筆室在聯合新聞網的文章, 標題是:【重磅快評】歐盟將核能納入綠色轉型是蔡英文的噩耗.

來源: 聯合新聞網

事件的概況

• 歐盟(EU)的目標是在環境永續的前提下發展經濟(environmentally sustainable economic activities).
• 廢棄物的處置(disposal of waste)有二大重點: 防治(prevention)及回收(recycling)，必須達到無害(Do-Not-Harm)的基本原則.
• 在無害原則下, EU的能源分類(Taxonomy)分三級: 真綠能(Green), 促進(Enabling), 過渡(Transition). 但目前能源分類(Taxonomy)的技術標準仍由歐盟的TEG技術專家小組研議中, 預計2020年底才會提出草案.
• 但歐盟的TEG技術專家小組在2019/06的分類技術報告並不建議將核能列入綠能分類清單中.
• 經濟發展需要使用大量的能源, 而能源產業本身也是經濟的一環; EU的綠色協議及政策, 自然擋了核能廠商的財路. 法國因為掌握核能技術, 是EU最大的擁核國家. 在2019/09/23對能源分類(Taxonomy)提出法修正案. 最後在2019/12/14出現了這個妥協的版本. 但其中並未提到任何有關核能(nuclear)的字眼.
• 這個妥協的版本主要修正了法案中recital 24a, Article 6(1a) and Article 12(1)(d)這三個地方的用字. 造成核能”有機會”被各自表述，解釋成可列入最低等級的過渡(Transition)能源清單. 但最終的判定必須等歐盟的TEG技術專家小組在2020年底, 訂定技術標準草案, 再經通過後才能定案. 但歐盟的TEG技術專家小組在2019/06的分類技術報告並不建議將核能列入綠能分類清單中.
• 不可否認, 此一修正案的文字解釋的確可能開啟核能最後被列為最低等級的過渡(Transition)能源清單的機會(因此也有團體開始抗議此修正). 但EU能源分類(Taxonomy)的技術標準草案仍由TEG技術專家小組研議中. 最後認定必須是以正式的能源分類(Taxonomy)標準為依據.
• 聯合新聞網報導:
  “歐盟理事會在備忘錄載明，為了確保能源安全，核能應納入國家能源結構，並成為歐洲綠色交易的一環。”
  聯合新聞網何不提供”歐盟理事會備忘錄“原始連結讓大家瞧瞧呢!?
  (我先附上2019/12/14原始修正文本, 請大家參考. 這是2019/12/06的修正提案.)
• 新聞自由不能被拿來作為政治宣傳的工具. 中天新聞前幾天才傳出要韓粉配合唸稿及演出的假新聞事件, 今天聯合新聞網又來一個擴大解釋的加料新聞. 這些中資媒體對於台灣新聞自由的傷害, 實在令人憂心! 
• 請大家真的要對中資媒體對台灣的惡意要有所警覺!

References

• EU lawmakers strike compromise on green finance taxonomy (2019/12/18)
• New EU rules agreed on ‘green’ investments (2019/12/18)
• EU seals deal on green finance in breakthrough for climate goals (2019/12/17)
• EU Overcomes Nuclear Divide to Reach Key Green-Finance Deal (2019/12/16)
• The EU’s New Climate Weapon Is in Financial Fine Print (2019/12/10)
• What Is Greenwashing? (2018/07/06)
• EU-Lex
• 投書》馮京當馬涼！歐盟將核能納入綠色轉型？事實查核打臉了… (台灣再生能源推動聯盟)