Identifying Critical Security Control Points That Must Be Verified Throughout the IT Infrastructure
Adequate controls should be in place to meet high-level defined control objectives. The organizational risk assessment plays an important role in identifying high-risk areas. Areas identified as being the riskiest should be assessed as often as possible. Levels of risk across the IT infrastructure vary across organizations. This is a result of differing objectives and risk appetites. Regardless, most organizations do share common critical controls.
Security controls are the cornerstone of a well-defined security program. The security controls prevent or detect a security breach. Security controls allow businesses to resume operations after a major security incident. However, an organization can apply so many security controls that it becomes a problem for the customers. When a security control cannot distinguish between acceptable behavior and unacceptable behavior to support the customer, then the business is impacted.
IS policy provides business meaning to security controls. This relationship between security controls and security policy ensures that competing priorities stay in balance. This relationship also ensures that the business risks and requirements are considered in building security controls.
Critical Security Controls (CSC) is a term to describe a minimum set of recommended IS controls that should be implemented to safeguard the IT environment and customer data. These recommendations on what constitutes the CSC can have small variations between professional organization and frameworks.
NIST Special Publication 800-53, unlike the Critical Security Controls, provides a comprehensive library of security controls. The Critical Security Controls, on the other hand, only provide a subset but are focused more on what’s believed to be the most important controls. Keep in mind that this is only a generalization. After the critical controls are addressed, further controls can be considered from the NIST document, for example.