60 -20 – 20 Rule of Cyber Security Controls Selection

Cyber Security controls are of varied nature. They could be administrative, logical and physical natured ones.Controls such as policy and procedures are considered as administrative controls. Virtual, application and technical controls such as systems and software, firewalls, anti virus software, encryption and maker/checker application routines will be considered as logical controls. Controls such as video surveillance systems, barricades, the use of security guards to manage access to an office, remote backup facilities,locks, doors will be considered as physical controls.

These controls again we can categorise into 3 major areas which should serve organizations in 60 – 20 – 20 Rule basis in managing their cyber security risks.

Preventive controls

Preventive controls should form 60% of Cyber Security Controls in an organization.

What do these preventive controls accomplish ?

Preventative controls exist to prevent the threat from coming in contact with the vulnerabilities exist in an organization.These preventive controls help organizations in managing the potential cyber security risks by preventing them before occurring. The following are the major controls used by global organizations as preventive controls in combating against cyber security risks:

– Implementing Firewalls- Implementing IPS- Implementing Anti Virus Packages- Implementing E Mail filtering- Implementing Web filtering- Implementing Endpoint Protection Suite- Implementing Next Generation APT Prevention Suite- Implementing Application whitelisting- Implementing Rogue devices monitoring- Restricting usage of staff owned PDAs in office by implementing a BYOD policy- Tracking the entry of non staff into the office through exclusive register- Mandating ID Cards for staffs and non staffs (Temporary visitor cards)- Hardening of IT Infrastructure- Implementing Minimum Security Baselines- Implementing strong encryption methods based on robust cryptographic controls and key management standards- Disabling Macros- Disabling browser plug ins that might bring in malicious malware- Disabling pop ups through popup blocker- Attaching sandbox setup attached with E Mail Gateway servers to address potential malicious attachments- Periodic vulnerability analysis and remediation of vulnerabilities- Proactive patching- Provision of access privileges strictly only in need to know basis- Deactivation of admin privileges for individuals- Reviewing the usage of admin privileges by super users such as DBAs and IT Administrators- Deactivating dormant user ids not used for a stipulated time period- Implementing effective change management- Implementing Background verification done for staff before hiring- Implementing Verification of reputation of vendors before contracting IT any services- Implementing exclusive DDoS prevention controls (Refer my article in Linkedin ” Detoxifying DDoS Attacks)- Implementing Access Control Systems- Implementing a Clear Screen and Clear Desk Policy- Implementing an IT Assets Acceptable Usage Policy- Implementing Teleworking Policy with strict controls enforces on usage of VPNs- Implementing a robust data classification scheme supported by data protection policy and procedures- Implementing a Data Leak Prevention (DLP) solution- Installation of CCTVs- Providing effective information security awareness to staff with exclusive emphasis on malwares

Detective controls

Detective controls should form 20% of Cyber Security Controls in an organization.

What do these Detective controls accomplish ?

Detective controls exist to identify whether the IT Systems in an organization are attacked by threats or not.The arrival of infection into IT Systems due to a malware can be identified and confirmed by these detective controls.The following are the major detective controls used by global organizations as detective controls in combating against cyber security risks:

– Implementing IDS- Implementing System Monitoring- Implementing Security Incident and Event Management (SIEM) solutions- Implementing Audit Trails- Implementing Log Management- Implementing AV Software- Installation of CCTVs (Footages)- Performing Penetration Testing- Performing Network scanning- Performing vulnerability Analysis- Commissioning information security audits / assessments- Commissioning compromised assessment with a 3rd party

Corrective controls

Corrective controls should form 20% of Cyber Security Controls in an organization.

What do these corrective controls accomplish ?

Corrective controls just exist to mitigate and reduce the negative effects of the threats that has been manifested in an organization.These controls will help in resuming back to Business As Usual (BAU) after a cyber attack.The following are the major detective controls used by global organizations as corrective controls in combating against cyber security risks:

– Implementing Incident Response Plan- Implementing IT Disaster Recovery Plan- Implementing Incident Response Services which will include activities such as digital forensics, malware reverse engineering, e discovery etc- Making a Disaster Recovery Site available for the organization- Making Generators available in working condition- Making UPS available in working condition- Making Fire Extinguisher available in working condition- Making ICT Supplies available from alternate vendors identified- Making Internet Services available from alternate ISP Provider- Making Telecom Services available from alternate vendors- Cyber Insurance Plans- Making updated backups of critical information available from which the operations can be resumed back from a DR Site

This 60-20-20 control combination has been successfully adopted in number of global organizations which will be my choice and recommendation too. Because i believe in “Prevention is better than cure”.

Wishing Good Luck to all of you in your cyber security risk management efforts !!!

Arrange a Conversation 


Article by channel:

Read more articles tagged: Featured