There are hundreds if not thousands of types of security controls. To make these types a little easier to comprehend, risk mitigation security controls are divided into categories. However, the categories are grouped differently depending on who does the categorizing.

Some controls are categorized using either of the following methods:

• NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations—NIST SP 800-53 Rev. 5 identifies 20 families of controls.
• Implementation method—Three implementation methods are used to categorize controls: procedural controls, technical controls, and physical controls. This chapter focuses on these three implementation methods.

NIST special publications are becoming more and more valuable for IT professionals in the United States. They document security best practices and provide a central source of knowledge for IT security professionals.

NIST will be releasing SP 800-53 Rev. 5 in 2020, which will provide guidance on more than 200 security controls. These controls handle a wide range of security issues organized into 20 families.

NIST SP 800-53 can be used to review security in any organization. For example, the Physical and Environmental Protection family includes 19 controls. Organizations use these controls for better physical security. They can be reviewed to determine whether they are relevant to an organization. Many of the controls described include additional references that provide more details on how to implement them.

Chapter 3 of NIST SP 800-53 Rev. 5 shows a detailed control catalog that documents most of the security and privacy controls in these families. Appendix E documents the controls in the Program Management family. SP 800-53 is a living document, which means the security controls documented in the catalog will change over time. Some controls will be added, some will be removed, and others will be modified.

The following list provides an overview of the control families. The family identifier is a two-letter acronym and is listed in parentheses. The control families include:

• Access Control (AC)—This family of 23 controls helps an organization implement effective access control. They ensure that users have the rights and permissions they need to perform their jobs and no more. This family of controls also includes principles such as least privilege and separation of duties.
• Audit and Accountability (AU)—This family of 16 controls helps an organization implement an effective audit program. Some controls identify what to audit, and other controls provide details on protecting the audit logs. This family also includes information on using audit logs for nonrepudiation.
• Awareness and Training (AT)—This family of four controls includes steps that can be implemented to raise the security awareness of all users in the organization. These items help an organization identify needed training and properly document the training.
• Configuration Management (CM)—This family of 12 controls addresses both change management and configuration management. Change control practices prevent unauthorized changes, and configuration management controls stress the use of baselines to configure new systems. The least functionality control documents methods of hardening systems, which include the common method of removing or disabling unneeded protocols and services.
• Contingency Planning (CP)—These 12 controls are used to help an organization recover from failures and disasters. They include those related to planning, training, and testing for failures and disasters and those related to alternate sites for storage or processing. NIST SP 800-34 is the primary reference.
• Identification and Authentication (IA)—These 11 controls cover different practices for identifying and authenticating users. Each user should be uniquely identified, meaning that each user has one account that is used by only one user. Similarly, device identifiers uniquely identify devices on the network.
• Incident Response (IR)—The 10 IR controls cover all aspects of security incidents, which include training, testing, handling, monitoring, and reporting. NIST SP 800-84 and SP 800-115 are the primary references.
• Maintenance (MA)—The six MA controls cover security aspects related to maintenance, such as tools, maintenance personnel, and timely maintenance.
• Media Protection (MP)—The eight MP controls focus on protection of removable digital media, which include tapes, external hard drives, and USB flash drives. This family of controls also includes nondigital media, such as paper and film, and covers the access, marking, storage, transport, and sanitization of media.
• Personnel Security (PS)—The PS family of eight controls covers several aspects related to personnel security, which includes personnel screening, termination, and transfer.
• Physical and Environmental Protection (PE)—The PE family provides 19 controls related to physical security, many of which are included in the Physical Control Examples section later in this chapter.
• Planning (PL)—The PL family of six controls focuses on security plans for systems. It also covers rules of behavior for users. Rules of behavior are also called an acceptable use policy.
• Program Management (PM)—This family of 16 controls is driven by the Federal Information Security Management Act (FISMA). It provides controls to ensure compliance with FISMA. These controls complement other controls; they don’t replace them. This family is the only one that is not covered in Appendix F of SP 800-53. Instead, it is covered in Appendix G.
• Risk Assessment (RA)—This family of five controls provides details on risk assessments and vulnerability scanning.
• Assessment, Authorization, and Monitoring (CA)—This family of eight controls addresses steps to implement a security and assessment program. It includes controls to ensure only authorized systems are allowed on a network and details on important security concepts, such as continuous monitoring and a plan of action and milestones.
• System and Communications Protection (SC)—The SC family is a large group of 41 controls that cover many aspects of protecting systems and communication channels. Controls for denial of service protection, boundary protection, transmission integrity, and confidentiality are included.
• System and Information Integrity (SI)—This family of 16 controls provides information for maintaining the integrity of systems and data. Flaw remediation identifies steps to keep systems updated, and malicious code protection lists steps to protect against malware.
• System and Services Acquisition (SA)—The SA family includes 15 controls related to the purchase of products and services. These controls include those related to hardware, software, and protecting the supply chain, and several controls address security issues related to software development.
• Personally Identifiable Information Processing and Transparency (PT)—This family, new for Rev. 5, includes 21 controls. The family addresses the requirements for how personally identifiable information can be processed, or the conditions under which they can be processed.
• Supply Chain Risk Management (SR)—This family, also new for Rev. 5, includes 25 controls. These controls address enterprise-level program management and supply chain risk considerations as they relate to federal mandates.

Appendix E of SP 800-53 Rev. 5 includes a summary of the controls in each of these families. This appendix is close to half the size of the entire document, which is about 440 pages as of this writing. It is an excellent place to start when looking for specific things that can be done in an organization to improve security in any of these areas.