Security Controls

Security controls enable organizations to have a measuring stick where they can assess the effectiveness of their practical and operational security statements and controls against industry standards. These security controls act as guidelines to check the organization's security statements for their maturity and capabilities. Security controls also provide a model framework in order to create a Gap assessment, enable the focus on remediation planning, and increase the awareness and interest of the stakeholders in creating a model that focus on security and risk assessments. These standards are based on laws, standards, regulations and guidelines and are intend to establish the effectiveness of satisfying their specified security necessities (Chew et al, 2007). These standards were developed by a consortium of major corporations, government agencies and many others such as NIST (National Institute of Standards and Technology), OMB (Office of Management and Budget) and other governmental bodies such as the Secretary of commerce, and government issued laws such as FISMA (Federal Information Security Management Act).
These security controls are mainly focused on probable attack scenarios such as inventories of authorized and unauthorized devices and software connected to networks (Stouffer et al, 2011), secure configuration for software and hardware on mobile and immobile devices, continuous vulnerability assessments and remediation, defenses against malware and viruses, application software security, data recovery capabilities, security based skills assessments and training of staff, security configurations and hardening of network hardware such as routers, firewalls and switches, controlled use of administrative accounts and privileges, and monitoring, maintenance and analysis of audit logs, need to know basis controlled access, monitoring of accounts and controls, prevention against data losses, management of incident response, secure network engineering and