ITPro.TV: CompTIA Security+ (SY0-601)

Security Controls

“Countermeasures” are another commonly used term for “controls”.

In either case, these are just whatever measures we’re taking to “avoid, detect, counteract, or minimize security risks”, in particular w.r.t. the CIA triad.

Systems of controls become frameworks/standards.

Security controls are classified into three categories:

Categories are themselves divided functionally into “types”:

The key difference between “preventative” and “deterrent” control types is that “deterrents” make someone not want to do something, while “preventative” control types actually stop them from doing that thing.

Recovery controls are basically extensions of corrective controls: Corrective controls simply return a system to normal functioning, while recovery controls work to re-harden the system.

Preventative, detective, corrective, and recovery controls are reactive, while deterrence and directive controls are proactive; compensating controls can be either, depending on what missing (primary) control they’re acting instead of.

Most administrative controls are directives.

Regulations, Standards And Frameworks

“Frameworks” are sets of guidelines and best practices covering a constellation of security controls.

Regulations and standards are basically prescriptive frameworks, the difference being that the first has the force of law, while the second is generally accepted within an industry (either by consensus or coercion).


CIS Top 20 Controls:

NIST CSF (Cyber Security Framework):

The NIST CSF is divided into a “core framework” (cybersecurity controls), “profiles” (specifies how to apply core controls for a specific risk appetite), and “implementation tiers” (qualitative guides for assessing maturity).

NIST RMF (Risk Management Framework):

The NIST RMF is about tying risk management into the SDLC, extending the CSF “profiles”.

ISO standards:

Adam Gordon recommends combining the NIST RMF (which is focused on IT risk management) and ISO 31000 (which is focused on organizational risk management) in order to obtain the most holistic possible risk management framework.

SOC reports can be divided into two “types”:

There are three kinds of SOC reports:

The CSA CCM (Cloud Security Alliance Cloud Controls Matrix) provides a list of almost 200 controls (!!!) focusing on the cloud supply chain risks.

There’s also lots of vendor guides.

Spotlight On General Data Protection Regulation

Location data becomes “personal data” under the GDPR if it can be linked to a session, and thus a user.

The GDPR requires that the data controller and data processor be separate roles. In generally, data processors are external to an organization.

The fines for breaches and other security violations under the GDPR are the greater of €10 million or 2% global revenue. But the fines for misrepresenting how data will be used or handles are double this.

The GDPR data protection officer may be an individual in either the data controller, the data processor, or a third-party.

The data controller must notify the applicable governmental regulatory body within 72 hours of becoming aware of a breach. However, extensions can be requested.

Nathan Acks
April 26, 2022