Evaluate Security Controls
Step 6 in the recommended risk assessment process is "Evaluate security controls". This page expands on that step.
The evaluation of the security controls allows you to pair possible threats with vulnerabilities which are the mechanism by which the treat may happen. Security controls can be used to either eliminate or remediate the vulnerabilities and therefore reduce the chance of the threat happening. During this step of the risk assessment process determine and list what security controls are currently in place and also what controls could be added to reduce the risk.
Some questions to ask when evaluating security controls include:
- Does code check user input and prevent injection attacks or cross site scripting attacks?
- How are user accounts created?
- How are passwords reset?
- Are passwords sent or stored in plaintext form?
- Is any sensitive information stored in cookies?
There are many more questions to ask in different categories. The questions should help determine what security controls are necessary and implemented.
Security Control Types
Two main types of security controls:
- Preventative - Designed to reduce the chance of a threat becoming an incident. Items may include policies such as systems update policies, anti-virus policies and actions, account management controls and other items.
- Detective - These types of controls are designed to detect incidents and include items like security logs and intrusion detection systems.
Security Control Levels
Create control objectives in each area, then examine the current level for each control objective.
Levels for each control:
- Control objective documented in a security policy.
- Security controls documented as procedures.
- Procedures have been implemented.
- Procedures and security controls are tested and reviewed.
- Procedures and security controls are fully integrated into a comprehensive program.
For lists and descriptions of NIST recommended security controls, see Security Controls.