What Is Security Program And Controls?

Share with :
What Is Security Program And Controls?

Information security refers to protecting information (data) and information systems from unauthorized access, disclosure, use, modification, disruption, or destruction. Security Information management is a process of defining the security controls to protect the information assets.


Security Program

The first action of a management program to implement information security is to have an effective security program. Though some argue the first approach would be to gain some real "proof of concept" "explainable through a display on the monitor screen" security knowledge. Maybe start with understanding where OS passwords are stored within the code inside a file within a directory. If you do not understand Operating Systems at the root directory level, maybe you should take advice from somebody who does before beginning to implement security program management and objectives.

Security Program Objectives

  • Protect the company and its assets.

  • Manage Risks by Identifying assets, discovering threats and estimating the risk

  • Provide direction for security activities by framing of information security policies, procedures, standards, guidelines and baselines

  • Information Classification

  • Security Organization and

  • Security Education

Security Management Responsibilities

  • Determining objectives, scope, policies, are expected to be accomplished from a security program

  • Analyse business objectives, security risks, user productivity, and functionality requirements.

  • Define steps to make sure that all of these are accounted for and adequately addressed


Approaches to Build a Security Program

There are two main approaches to building a security program. They are as follows. 

Top-Down Approach

The initiation, support, and direction starts from the top management and works their way through middle management and finally to the staff members.

This is treated as the best method but is not generally used.

It ensures that the senior management who are ultimately responsible for protecting the company assets is in charge of driving the program.

Bottom-Up Approach

The lower-end team invents a security control or a program without right management support and direction.

It is often considered to be less effective and doomed to fail for the same flaw as in the top-to-bottom approach.

Security Controls

Security Controls can be broadly classified into three categories

Administrative Controls that include

  • Developing and publishing policies, procedures, standards, and guidelines.

  • Screening of personnel.

  • Implementing change control procedures.

  • Conducting security-awareness training and

Technical or Logical Controls which include

  • Implementing and maintaining access control mechanisms.

  • Identification and authentication methods

  • Password and resource management.

  • Security devices and

  • Configuration of the infrastructure.

Physical Controls which include

  • Controlling individual access into the facility and various departments

  • Locking systems and removal of unnecessary floppy or CD-ROM drives

  • Monitoring for intrusion

  • Protecting the perimeter of the facility

  • Environmental controls.


The Different Elements Of Security:

  • Vulnerability: It is a software, hardware, or procedural weaknesses or loopholes that may give an attacker the open door they are looking for to enter a computer or network and gain unauthorized access to resources within the environment. 

  • There are a lot of Cyber Security Consulting Firmsthat offer their services to manage an organization’s security. 

  • Threat: Threat is any potential danger to the organization’s information or security. 

  • Risk: It is the likelihood of a threat agent taking advantage of the identified vulnerability and the corresponding impact on the business. 

  • Exposure: An exposure is a state of being exposed to losses from the threat agent. Vulnerability exposes an organization to attacks and other possible damages. 

  • Countermeasure or Safeguard: It is an application or a software or hardware or a process that mitigates the risk. E.g., Strong password management, access control mechanisms within an operating system, a security guard, the implementation of basic input/output system (BIOS) passwords, and security-awareness training.