Understanding control frameworks and the CISSP
This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.
Every modern organization needs control frameworks. These best practices aren’t just about security; they also streamline the very nature of how you secure your company’s data. Many would also cite the ISO/IEC 27000 series as a means of communication as well. When properly applied, their control frameworks work as standards for technical, administrative and physical controls.
When we think about control frameworks, it’s often convenient to only see them as security practices and that’s it. However, ISO/IEC 27000 series can work to help any company better accomplish its goals. What follows is an in-depth explanation about what control frameworks are that should further help you understand why they are so important.
What types of controls are covered on the CISSP?
A Certified Information Systems Security Professional (CISSP) is entrusted with keeping a company’s digital infrastructure safe. It’s an elite certification and governed by the International Information System Security Certification Consortium (ISC ²).
Amongst other things, this certification covers four types of control frameworks.
Preventative – This type of access control provides the initial layer of control frameworks. Preventative access controls are the first line of defense. They may be any of the following:
- Security Policies
- Security Cameras
- Security Awareness Training
- Job Rotation
- Data Classification
- Smart Cards
As you can see, there is a wide array of preventative controls. It’s important to appreciate that ISO 27001 controls and other standards published by the International Organization for Standardization don’t just rely on digital means for protection.
Deterrent – These are access controls that are deployed for the purpose of discouraging the violation of an organization’s security policies. This access control picks up where the last one left off. Instead of simply trying to stop a violation from taking place, it initiates consequences once one has occurred (or an attempt was detected). Examples of deterrents include:
- Security Personnel
- Security Cameras
- Separation of Duties
- Intrusion Alarms
- Awareness Training
The list goes on and on, but any number of these control frameworks could be used at your organization. One of the missions of the ISO/IEC 27000 series is to ensure you know how to create the best possible version for your company.
Detective – Next, we have detective access controls. These are relied on for discovering unauthorized activities. Generally, these aren’t working inside of control frameworks in real-time. They are deployed after the aforementioned activities have occurred. Some examples of this type of access control are:
- Security Cameras
- Intrusion Detection Systems
- Honey Pots
- Audit Trails
- Mandatory Vacations
Corrective – This access control is entrusted with restoring systems to their original form after an unauthorized event has occurred. Usually, corrective access controls have very limited potential to respond when these violations happen. Some examples would include:
- Antivirus Solutions
- Intrusion Detection Systems
- Business Continuity Plans
Recovery – This access control repairs resources, capabilities and functions after a security violation happens. Compared to corrective access controls, this version is more advanced and complex. Often times, they don’t just repair the damage done; they also stop it from occurring again. Some examples of this are:
- Server Clustering
- Fault Tolerant Drive Systems
- Database Shadowing
- Antivirus Software
Compensation – To assist the other access controls within your control framework, compensation access controls provide different options to assist with enforcement of your organization’s security policy. These might be:
- Security Policy
- Personnel Supervision
- Work Task Procedures
To help better understand compensation access controls, let’s look at an example. If budget cuts make it difficult to hire multiple security guards, you can just hire one and outfit them with enough cameras to monitor what is happening in your building.
Directive Access Controls – To encourage adherence to your company’s security policy, directive access controls can be deployed. They can accomplish this through directing, confining or controlling the actions of staff and others. The following would all be considered versions of directive access controls:
- Exit Signs
- Guard Dogs
- Security Guards
- Posted Notifications
- Awareness Training
Administrative Access Controls – These are the policies and procedures that companies use to enforce their overall control frameworks. They’re focused on two different areas: personnel and business practices. Common examples of these are:
- Background Checks
- Security Training
- Data Classifications
- Hiring Practices
Logical Access Controls – This can either be hardware or software that manages access to systems and resources. They also work as protection for those two important types of assets. Examples include:
- Constrained Interfaces
- Smart Cards
- Access Control Lists (ACLs)
Physical Access Controls – Finally, we have the physical access controls used in control frameworks. These are actual physical barriers that prevent direct contact with sensitive areas of a facility or the systems themselves. They would be things like:
- Motion Detectors
- Locked Doors
- Sealed Windows
- Swipe Cards
Qualitative vs. quantitative
When it comes to your organization’s ISO 27001 risk assessment, you can take either a qualitative or quantitative approach. The concept is sometimes referred to as “Q vs. Q.” Simply put, when doing an ISO 27001 risk assessment, you may discover a problem, the effects of which can be measured. This would be a quantitative risk. A common version would be if your system was down for 24 hours. As you can count the number of hours you will be without your system, it’s quantitative.
On the other hand, if you can’t quantify your problem’s variables, it would be a qualitative risk assessment. This is what occurs when, for example, you’re looking at the potential fallout from a decision you need to make.
What risk frameworks are covered on the CISSP?
Whether you use ISO 27002 controls 1, ISO 27001 controls 2 or any other of the standards put forward by ISO, you’ll want to understand how the control frameworks can be used to mitigate risk.
In total, the CISSP covers eight different domains. These are:
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communication and Network Security
- Identity and Access Management (IAM)
- Security Assessment and Testing
- Security Operations
- Software Development Security
This is as of 2021, though there have been other frameworks in the past as well (the previous iteration involved 10, for example).
The 6 steps of the risk management framework
There are concrete steps that can be used to leverage ISO 27002 controls toward keeping your organization secure. These are:
- Step 1: Categorize – This entails determining the criticality and sensitivity of the information being stored, processed or transmitted through an information system. To do this, you would assign each type of information a security impact value – low, moderate or high – in terms of integrity, confidentiality and their availability.
- Step 2: Select – Control frameworks need security controls, but you must select them first before they can be implemented. This selection should be made only after you’ve made your aforementioned decisions about the security impact values of your information.
- Step 3: Implement – With your selection made, you can now begin to implement your ISO 27001 controls or those from the ISO/IEC 27000 series if that’s the version you’re using. It’s also vital that you decide how the security controls will be employed within your organization’s information system and their domain of operation.
- Step 4: Assess – Using appropriate procedures, assess your security controls to ensure that they have been implemented correctly. Control frameworks may be well planned but if they are not equally well implemented, they will be of no use. They must also go on to operate correctly and produce the intended outcome in terms of securing your system. Assessments tell you whether or not this is happening.
- Step 5: Authorize – Once you’ve determined the risks facing the operations of your organizations and individuals, grant information system operations based on your findings.
- Step 6: Monitor – Lastly, control frameworks must be monitored on an ongoing basis. This will include documenting any changes that are made to the system, carrying out analysis of security impacts, reporting on the state of your security network to designated authorities and assessing the overall effectiveness of your framework.
Clearly, there is a lot of room here to address the unique factors involved with your organization. Nonetheless, these steps should give you enough direction to carry out a successful ISO 27001 risk assessment and manage the results accordingly.
Do I need to know any other frameworks?
Whether or not you should know other control frameworks is a decision only you can make. You’ll have to look at your organization and/or what you want from your job prospects.
Still, let’s take a quick look at some of the most popular options and what they have to offer:
- OCTAVE: Operationally Critical Threat, Assets and Vulnerability Evaluation was developed at Carnegie Mellon University’s CERT Coordination Center. This suite of tools, methods and techniques provides two alternative models to the original. That one was developed for organizations with at least 300 workers. OCTAVE-S is aimed at helping companies that don’t have much in the way of security and risk-management resources. OCTAVE-Allegro was created with a more streamlined approach.
- FAIR: Factor Analysis of Information Risk was developed to understand, analyze and measure information risk. It also has the support of the former CISO of Nationwide Mutual Insurance, Jack Jones. This framework has received a lot of attention because it allows organizations to carry out risk assessments to any asset or object all with a unified language. Your IT people, those on the IRM team and your business line staff will all be able to work with one another while using a consistent language.
- TARA: The Threat Agent Risk Assessment was created back in 2010 by Intel. It allows companies to manage their risk by considering a large number of potential information security attacks and then distilling them down to the likeliest threats. A predictive framework will then list these threats in terms of priority.
- ITIL: Information Technology Infrastructure Library provides best practices in IT Service Management (ITSM). It was created with five different “Service Management Practices” to assist you in managing your IT assets with an eye on preventing unauthorized practices and events.
Again, whether or not you should learn these control frameworks to help your organization is up to you and will depend on the needs of your company and the resources available. One factor that can sometimes be difficult to consider is the level of risk you find acceptable. Obviously, we’d all like to keep our vulnerabilities to a minimum, especially where our company’s digital infrastructures are concerned.
However, it’s not realistic to think that you’ll never have to take on some risk. Instead, you must look at these risks, look at your resources and then decide how much you’ll simply have to be comfortable with (at least at the moment). Although the other frameworks may help you protect your organization, they may not be an option right now.
Also, there is no doubt that CISSP will prepare you to protect your organization, so it would be wise to make sure you’re leveraging what you learned to its fullest potential before investing in another method. There’s a reason why it’s an internationally recognized designation.
As you can see, control frameworks are an essential step to safeguarding your company against the types of digital threats that have become commonplace. There is also no end to the types of organizations CISSP can be used to help. Whether you already have a position or you’re looking to improve your resume in a significant way, anyone with five years of experience in this field can earn their certification and begin properly using control frameworks.