Identifying and Analyzing Risk Mitigation Security Controls |
CHAPTER |
CONTROLS MITIGATE RISK, which means they reduce or neutralize threats or vulnerabilities to an acceptable level. At any point in time, a company will likely have controls in place that need to be updated, controls that are planned, and controls that are needed or being considered.
There are hundreds of controls that can be implemented in any environment. When evaluating controls, considering controls in different categories is best. The National Institute of Standards and Technology (NIST) published SP 800-53. This document groups 212 controls into 20 families designated by the acronyms AC for access control, IR for incident response, and CM for configuration management. Controls are ranked low, medium, and high, based on three types, common, custom, and hybrid. Controls are also categorized as procedural (or administrative), technical, and physical. NIST SP 800-53 Rev. 5 emphasizes outcome-based, privacy, and threat intelligence controls.
This chapter covers the following topics and concepts:
When you complete this chapter, you will be able to:
3.129.148.210