[MUSIC] And this is our very next module, module three. So we will look at how controls operate, what a control is in effect. And then we will look at the three types of control. All modern security frameworks, break controls up into three types and we've looked already at physical and logical but there is a third type of control, administrative controls. And these are controls that tell people how to behave. Part of our governance policies, procedures and so on. And it's not the case that we use any one of these control types. We actually layer them. There is an interdependency. It's not usually enough to have just administrative controls or just physical controls or just logical controls. Just think if you had a data center and your data center had lots of really good logical controls, lots of very good technical protections, firewalls, antivirus and so on. But there was no lock on the door. Anybody passing by your building could go in and out if you have zero physical controls. Even if you've got very good technical controls, There is still a significant risk. So usually we need a balance between the two or a balance between the three factoring in the administrative controls, we tell people what to do, but people always don't don't always do what they are told to do. They might forget, make a mistake or intentionally behave in a different way. So it's not enough to have administrative controls. So we layer these three control types, we use a combination of them and that kind of relates back to multifactor authentication. The reason you you combine the different factors is because it's harder to attack a combination of factors instead of using one factor like something you know, three times it's much stronger to use three different types. Same is true here in terms of controls. Were using different types of controls in combination so a control helps to affect an outcome in the real world. You have a remote control for your television, it affects an outcome. And what we're trying to do is to detect correct, prevent or reduce a risk to affect that that outcome somehow controls and control activity follow on from our risk management and we have a risk based approach to security. Therefore this control activity is really important now and it's part of all major cybersecurity frameworks and we have three listed there. So so 27,001 the international standards organization offer a certification for companies they can choose to to meet. And 27,001 has a requirement for a risk assessment risk management. And then depending on your risk management, what you say your risk management affect how you use controls and 27,001 has over 100 controls that it suggests you respond to. For example, do you synchronize time on your on your network, Do you do background checks for employees? Lots of different controls that it asked you to think about. Control objectives in IT COBIT is managed by Osaka. Osaka as an organization grew out of audit. So when finance systems were paper based There were controls to manage the accuracy of finance data. When computers started to sort store finance data in the 1960s 70's at that point auditors realized that we needed to control our IT environment. We need to protect and control our IT environment and the control objectives in IT. We're an extension of that kind of financial audit, financial audit. And again it contains a list of controls that we have to consider that we should consider as an organization. NIST, the National Institute for Science and Technology is the US based Organization that provides two really important sets of documents. The Special Publications SP. The Special Publications in the 800 series. And also they produce the federal information processing standards Phipps. And if you are a federal US agency, a government agency, a national government agency in America then you have to follow their guidance. You don't have any choice. But the great thing about Nist is all of their guidance is available on their website. It is very easy to read and understand and it is free of charge. The price is zero. So this guidance I use extensively. It is very well known worldwide and on the right in the image there you see a QR code for one of the special publication documents sp 800-53. This is one of the most well known documents produced by Nist and it contains again their their control activity. Their recommendations for control activity. So they go three different approaches to cybersecurity, three different frameworks, all of which are risk based, all of which require you to undertake control activity to manage your risk. Security controls then help to manage the risk by reducing the risk to a level that is acceptable, they lower the risk, very rarely do they lower it to zero. Usually there is some risk remaining, we call that residual risk, residual risk is the risk that remains after we have applied these security controls. And what we're looking to do is to decide whether the benefit from a control is worthwhile given the, given its cost. So the cost versus the benefit. For example, if we had a data center in the basement of a building And once a year it flooded and the flood caused $10,000 worth of damage. So the flooding happens once each year and causes $10,000 worth of damage. If we could buy a pump that completely mitigated, reduced the risk to zero of flooding as soon as it detected water, it would pump the water away If that pump cost $20,000 a year to install and maintain, would we buy it Well in this example? Maybe not the cost of the control is $20,000 a year. The benefit that it gives is only $10,000 a year. So it depends, that's a really basic example. There would be other factors the disruption of the flood. If it if it causes $10,000 worth of damage. Those systems are likely to be offline. The damage to our reputation of being offline. So that that was a really simple example. But we do think about the cost of the control versus its benefit and that judgment over whether to adopt control or not. That judgment in terms of how we manage the control we said is made by the leadership within the organization, by those C level officers and the security controls. We see they're just broken up into those three groupings. Administrative controls, physical and technical. Let's take a look at each of the types. So controls relating to the administrative category. These are telling people how to behave. We have policies, procedures, guidelines, standards, policies are a high level statement, procedures are step by step, instructions on how to do something, guidelines or recommendations. With guidelines. Think about the word, you should you should do these things standards. The word to remember is must standards say you must do something, guidelines are just recommendations. Standards we have to follow. And are these controls enough in isolation. Could we just rely on administrative controls? Absolutely not. People forget people deliberately undermine controls. I've seen an argument. I've found somebody behaving in a way that breached policy and I said why are you doing this? And their answer was Well, my way of doing it is better. And that may be that the kind of thinking people may not be aware of the reason for a policy or procedure to exist. A good policy will say what you're doing, but also will explain why to help generate buy in so that people understand they're more likely to comply with it if they understand. But administrative policies are not effective in isolation. We don't consider consider them to be effective in isolation. It doesn't mean they have no value. They're really important. They say what we do and then we try to make sure that we're doing what we say we do. So this is the starting point for governance. This is what we do as an organization. This is how we behave. We then use physical and logical controls to enforce those behaviors. Physical controls often secure access to something, for example, a door in offense controls, access to a site, the door in a safe. It's a gap in a secure perimeter that controls access. So physical access control systems, door entry systems, CCTV systems, alarm systems are all examples of physical controls. And again, really good physical security isn't enough. If we had good administrative controls. Good physical controls. Well that's great, but we still need technical controls. Just think if you had a data center that was very well guarded that had good procedures, policies surrounding its use surrounding its use what if it's connected to the internet without a firewall without any protection technically or logically it's going to face significant risks. So again, administrative, physical and logical used to be need to be used in combination for our technical or logical controls. Then things like encryption. Endpoint security. Endpoint security is a more modern phrase for antivirus. Antivirus is protecting just against viruses. Modern endpoint detection and response systems E D R. They provide protection for network threats, ransomware malware viruses not just for viruses. So the term you'll hear commonly is either endpoint security or e D R. Endpoint detection and response clustering. Getting systems to work together in combination to provide more resilience and we can think about some controls as being preventative of firewall we can think about as being preventative. It prevents somebody breaking into our network. But also if there is a problem, it might also be in part detective. The same is true of antivirus type products they might help prevent, they might help detect depending on the type of threat. And we talked already about whether a control is worthwhile a decision against the benefit it confers versus its cost, the cost of buying it to the cost of maintaining it. We looked at the common control frameworks 27,001 which companies can be certified to ice aka that produce the control objectives in it and they also produce something called risk it. So those two ice aka frameworks together Give us something very similar to ISO 27001. Nist sp 800-53 Is a Nist National Institute of Science and Technology Longstanding Organization. It's been around since 1901. They produce those special publications and the federal information processing standards.
