Information Security Controls

The purpose of security controls or defence mechanisms (also called countermeasures)

is to safeguard assets, optimize the use of the organization’s resources, and prevent or

detect errors or fraud. These controls are designed to protect all of the components of

a system, including data, software, hardware, and networks. Controls are intended to

prevent accidental hazards, deter intentional acts, detect problems as early as possible,

enhance damage recovery, and correct problems.

Physical Controls

Physical controls prevent unauthorized individuals from gaining access to a

company’s facilities. Common physical controls include walls, doors, fencing, gates,

locks, badges, guards, and alarm systems.

Access Controls

Access controls restrict unauthorized individuals from using information resources.

Access controls can be physical controls or logical controls. Both types restrict

unauthorized individuals from using information resources. Logical controls are

implemented by software. For example, access control programs limit users to

acceptable login times and acceptable login locations. These controls can limit the

number of unsuccessful login attempts and they require everyone to log off their

computers when they leave for the day. In addition, computers are set to

automatically log the user off after a certain period of disuse. Note that logical

controls can be used for other purposes (such as checking calculations), not just for

purposes of controlling access.

Access controls involve two major functions: authentication and authorization.

Authentication confirms the identity of the person requiring access. After the person

is authenticated (identified), the next step is authorization. Authorization determines

which actions, rights, or privileges the person has, based on their verified identity.

Good control systems limit authorization to tasks needed to accomplish a person’s job.

Let’s examine these functions more closely.

To authenticate (identify) authorized personnel, an organization can

use one or more of the following types of methods: something the user is, something

the user has, something the user does, or something the user knows.

• Something the user is

Something the user is, also known as biometrics, is an authentication method that

examines a person’s innate physical characteristics. Biometric technologies can be

divided into two categories: active and passive. Active methods of biometric

authentication require the user to physically participate in the verification process by

taking an action like speaking, placing a finger or eye in proximity to a scanner, and

other actions. This method requires enrolment into the biometric system. Examples of

active biometrics include voice recognition, facial recognition, fingerprint scanning,

retinal scanning, and iris scanning.

Passive methods of biometric authentication are capable of identifying a person without

their active participation. Examples of passive biometrics include voice recognition

and behavioural identification. For example, when a customer calls a bank, instead of

asking for account numbers or passwords, the bank’s agent only asks, “What can I do

for you today?” In the background, the system “listens” to the customer and compares

their voice to the voiceprint on file. Additionally, a mobile banking application can

track user behaviour such as typing cadence, swiping patterns, and even geographic

location to provide continuous authentication.

• Something the user has

Something the user has is an authentication mechanism that includes regular

identification (ID) cards, smart ID cards, and tokens. Regular ID cards, or dumb cards,

typically have the person’s picture and often their signature. Smart ID cards have an

embedded chip that stores pertinent information about the user. (Smart ID cards used

for identification differ from smart cards used in electronic commerce. Both types of

cards have embedded chips, but they are used for different purposes.) Tokens have
embedded chips and a digital display that presents a login number that the employees

use to access the organization’s network. The number changes with each login.

• Something the user knows

Something the user knows is an authentication mechanism that includes passwords and

passphrases. Passwords present a huge information security problem in all

organizations. Most of us have to remember numerous passwords for different online

services, and we typically must choose complicated strings of characters to make them

harder to guess. Passwords must effectively manage the tradeoff between

convenience and security. For example, if passwords are 50 characters in length and

include special symbols, they might keep your computer and its files safe, but they

would be impossible to remember.

We have all bought into the idea that a password is sufficient to protect our data, as

long as it is sufficiently elaborate. In reality, however, passwords by themselves can

no longer protect us, regardless of how unique or complex we make them. In fact,

security experts refer to passwords and PINs as a “double fail.” First, they are easily

stolen or hacked and easily forgotten. Second, they provide very poor security and a

terrible customer experience at the same time. Attackers employ a number of

strategies to obtain our passwords, no matter how strong they are. They can guess

them, steal them (with phishing or spear phishing attacks), crack them using brute

force computation, or obtain them online. (Brute force password cracking means that

a computer system tries all possible combinations of characters until a password is

discovered.)

To identify authorized users more efficiently and effectively, organizations are

implementing more than one type of authentication, a strategy known as multifactor

authentication. This system is particularly important when users log in from remote

locations. Single-factor authentication, which is notoriously weak, commonly consists

simply of a password. Two-factor authentication consists of a password plus one type

combination of three authentication methods.