Classifications of security controls

Reviewing the literature has shown that there are diverse views regarding the classifications o f security controls. Security controls could be classified according to their purpose into: preventive, detective, and corrective controls (Bagranoff et al.

2005; Flowerday and Von Solms 2005; Lin 2006; Romney and Steinbart 2003). Abu- Musa (2004b), Chang and Yeh (2006), Kankanhalli et al. (2003) and Qureshi and Siegel (1997) added another classification namely deterrent controls. However, it seems that both preventive controls and deterrent controls have the same function in hindering or preventing security threats. Security controls therefore could be classified into preventive, detective and corrective controls.

Security controls can also be classified according to their association with data or transaction processing stages into input, processing, storing and output security controls (Abu-M usa 2004b; Bagranoff et al. 2005). On the other hand, Nota (1988) classified controls according to stages o f data manipulation process into access, input, computation, output and back-up controls. Input controls ensure the validity, accuracy and completeness o f data entered into AIS. Processing controls focus on manipulation o f accounting data after they have been entered into the computer. Output controls ensure the output’s validity, accuracy and completeness; output is directed only to authorised persons, whereas storing security controls ensure that all stored data and programs are secured against unauthorised access, manipulation, alteration and disclosure.

Moreover, G erber and Von Solms (2001) categorised security controls according to the evolution o f com puting eras - the computer-centric, IT-centric and information- centric era - into physical, technical and operational controls. Physical controls such as locked doors and cam eras were used to protect the entrance to and continued operation o f the com puting facility. Technical controls such as user identification and authentication, access controls, and encryption are employed given the remote access to IS. Operational controls are the security policies, procedures, standards and guidelines that contribute with both physical and technical controls to protect IS and information in the inform ation-centric era.

Dhillon and M oores (2001) addressed computer crimes and classified controls into three categories: technical, formal and informal controls. Technical controls restrict access to buildings and room s or to computer systems and programs. Formal controls establish rules, ensuring com pliance with laws and procedures and identifying security roles and responsibilities, whereas informal controls address security training and awareness program s conducted within companies.

However, the USA National Security Telecommunications and Information Systems Security Committee (N STISSA M INFOSEC/1-99 1999) addressed the insider threats of IS and classified counterm easures into technical and procedural countermeasures.

Technical counterm easures include access control, identification and authentication, encryption, operation system controls, system administration, event logging, audit and

intrusion detection tools. Procedural countermeasures include personnel security procedures (e.g. background checks and employee responsibilities), users’ security procedures (e.g. segregation o f duties, accountability, audits, passwords, and authentication), security policies related to the protection o f IS (e.g. access controls, accountability, maintenance procedures, reportable incidents, contingency procedures, and legal issues). It is clear that those procedural countermeasures include the formal and informal controls m entioned before by Dhillon and Moores (2001).

Furthermore, the USA National Institute o f Standards and Technology (NIST 800-53 2005) classified security controls into management, operational and technical controls. M anagem ent controls address the risk management and information security management and include risk assessment, planning, system and services acquisition, certification, accreditation, and security assessments. Operational controls are implemented and executed by people and include personnel security, physical and environmental protection, contingency planning, maintenance, system and information integrity, incident response, and training and awareness. In addition, technical controls are im plem ented and executed by IS through m echanisms contained in the system ’s hardware or software and include identification and authentication, access controls, audit and accountability, and system and com m unications protection.

On the other hand, Rom ney and Steinbart (2003) classified controls according to the AIS reliability principles into availability, security, m aintainability and integrity controls. Availability controls ensure system availability and they include minimising system downtim e and a disaster recovery plan. Security controls ensure that the system is protected against unauthorised physical and logical access and include segregation o f duties, physical and logical access controls, protection o f computers and networks, and internet controls. Maintainability controls ensure that the system can be modified as required without affecting its availability, security and integrity and includes project development, acquisition controls and change management controls. Moreover, integrity controls ensure that system processing is complete, accurate, timely and authorised and include input validation, online data entry controls, data processing and storage controls, output controls and data transmission

4.

controls.

In a more recent study, Yeh and Chang (2007) classified security countermeasures into two major categories. IT-related countermeasures include software, hardware, data and network security controls, whereas non-IT-related countermeasures include physical facilities and environment, personnel, regulation, compliance with legal requirements and risk transference controls.

From the above, security controls can be classified as follows:

- According to purpose, into preventive, detective, and corrective controls;

- According to their association with data processing stages, into input, processing, storing, and output security controls;

According to the evolution o f computing eras, into physical, technical, and operational controls;

According to their role in minimising crimes, into technical and procedural (formal and inform al) controls;

According to their security function, into management, operational, and technical controls; and

According to AIS reliability principles, into availability, security, maintainability and integrity controls.