Skip to content

Term of the Week: Controls

What is it?

A set of guidelines designed to protect an organization’s information security, safeguarding the standards of confidentiality, integrity, and availability (CIA).

Why is it important?

Controls are important because without them, an organization has no guidelines for protecting information and assets.

Why does a business professional need to know this?

The primary cybersecurity function is to protect data, which includes keeping people who should not have access away from data (confidentiality), ensuring that data is not altered by unauthorized entities (integrity), and maintaining an environment that makes data accessible when it is needed (availability).

Cybersecurity controls provide guidance to specialists, helping them protect the security environment. These controls fall into various categories, including the following:

  • Physical: the organization must provide locks on doors
  • Technical: users must use passwords to access systems
  • Regulatory/legal: the authorities must be notified if a breach is detected

As part of the process of protecting an organization’s data, an analyst uses a checklist of controls to ensure that proper security measures are applied so that only authorized persons or processes have access to the organization’s data and assets.

These controls are developed mainly by government entities such as the US National Institute of Standards and Technology (NIST). NIST has developed the Risk Management Framework (RMF)(Nist 2017), a roadmap for an organization to follow to properly secure its cybersecurity stance(NIST 800-53). The RMF asks cybersecurity specialists to assign risk based on the type of system to be secured (i.e., a larger network connected to the internet or a smaller, disconnected stand-alone network). The larger, connected network would have more or different controls applied, since there is more risk of a breach. The disconnected network, while still needing protection, would require less stringent controls(Scholl 2017).


About Mark Sears

Photo of Mark Sears

Mark Sears, a senior systems engineer with Assured Information Technology in Orlando, FL, has been working in cybersecurity for over 10 years for Fortune 200 companies, including Lockheed Martin and General Dynamics. Mark has a BA in communications from Loyola University, an MS in technology management from Rensselaer Polytechnic Institute, and an MS in information assurance from Norwich University. His professional certifications include Certified Information Systems Security Professional (CISSP) and Microsoft Certified Systems Engineer (MCSE).

Term: Controls



Leave a Reply