Sensitive data should be protected based on the potential impact of a loss of confidentiality, integrity, or availability. Protection measures (otherwise known as security controls) tend to fall into two categories.
First, security weaknesses in the system need to be resolved. For example, if a system has a known vulnerability that attackers could exploit, the system should be patched so that the vulnerability is removed or mitigated.
Second, the system should offer only the required functionality to each authorized user, so that no one can use functions that are not necessary. This principle is known as “least privilege.” Limiting functionality and resolving security weaknesses share a common goal: Give attackers as few opportunities as possible to breach a system.
There are three types of security controls:
- Management controls: The security controls that focus on the management of risk and the management of information system security.
- Operational controls: The security controls that are primarily implemented and executed by people (as opposed to systems).
- Technical controls: The security controls that are primarily implemented and executed by the system through the system’s hardware, software, or firmware.