| Control Family | Description | Response | Mitigation / Recommendation | Notes |
|---|---|---|---|---|
| Access Control (AC) – Managing user permissions | Are user accounts reviewed regularly for access appropriateness? | |||
| Incident Response (IR) – Preparing for and managing incidents | Is there an established and tested incident response plan? | |||
| Risk Assessment (RA) – Identifying and managing risk | Are formal risk assessments performed annually? | |||
| Configuration Management (CM) – Securing system settings | Are baseline configurations documented and enforced? | |||
| Awareness & Training (AT) – Educating personnel | Do all employees receive annual security awareness training? | |||
| Audit & Accountability (AU) – Monitoring and recording activity | Are audit logs collected, protected, and reviewed regularly? | |||
| Media Protection (MP) – Safeguarding sensitive information | Is sensitive data on media securely destroyed before disposal? | |||
| System & Communications Protection (SC) – Secure transmission | Is sensitive data encrypted during transmission? | |||
| Physical & Environmental Security (PE) – Physical access controls | Are physical locations secured with access restrictions and monitoring? |
Access control is the cornerstone of security. Regular reviews ensure that only the right people have access to sensitive data and systems, reducing the risk of insider threats, data breaches, and privilege escalation.
Without access control reviews, users might retain unnecessary permissions long after they’ve changed roles or left the organization, leading to potential exposure or exploitation.
If your organization is not regularly reviewing user access or using role-based access controls, implement a structured program. Use IAM tools for automation, establish review policies, and assign clear responsibilities for monitoring and enforcing access reviews.
Maintaining an accurate inventory of assets is essential for effective security management. Without a comprehensive and current inventory, it’s impossible to track vulnerabilities, plan for updates, or monitor unauthorized devices.
Organizations that lack proper asset management often face difficulties when responding to incidents, ensuring compliance, and managing patches, increasing the risk of undetected threats.
If your organization is not maintaining a comprehensive and updated inventory, consider adopting an automated asset management system. Implement regular audits and ensure that all hardware and software are categorized and tracked. Establish a formal process for updating the inventory whenever assets are added, modified, or decommissioned.
Risk assessment is essential to understanding potential threats and vulnerabilities that could impact the confidentiality, integrity, and availability of systems and data. It enables organizations to make informed decisions about mitigating or accepting risks.
Without a structured risk assessment process, organizations may overlook critical exposures, allocate resources ineffectively, or fail to comply with regulatory standards.
If risk assessments are not conducted regularly or documented effectively, implement a formal risk management program. Adopt a standard methodology, assign ownership of risks, and establish a living risk register with regular reviews and updates.
Configuration management ensures that all systems are set up securely and consistently. Misconfigured systems are a common entry point for attackers and can lead to unauthorized access, data breaches, and compliance violations.
Without proper configuration management, default settings, unused services, or unpatched software can be overlooked, exposing systems to vulnerabilities.
If secure configuration management is lacking, establish and enforce security baselines using industry standards. Implement configuration management tools to automate the process, and ensure all changes go through proper review and approval channels.
Security awareness and training programs empower employees to recognize and respond to threats like phishing, social engineering, and insider risks. Human error is a major cause of security incidents, so educating staff is essential to strengthening the organization’s security posture.
Trained personnel are less likely to fall victim to attacks and more likely to report suspicious activity, which improves incident detection and response.
If a formal training and awareness program is lacking, establish a recurring, role-specific training schedule. Integrate phishing simulations and track completion rates. Make training mandatory for all employees, and include it in onboarding and annual compliance reviews.
Audit logs provide crucial visibility into system and user activity. Regularly collecting and reviewing these logs helps detect unauthorized access, malicious activity, and performance issues before they become major incidents.
Without proper logging and monitoring, it’s nearly impossible to investigate incidents or meet compliance requirements such as those from NIST, ISO 27001, or regulatory frameworks like HIPAA and PCI-DSS.
If your organization is not collecting or reviewing audit logs, implement a centralized logging solution immediately. Establish review routines, alert thresholds, and retention schedules. Integrate logs into incident response and compliance procedures to ensure traceability and accountability.
Media containing sensitive or confidential information (e.g., USB drives, backup tapes, printed documents) must be properly protected to prevent unauthorized access, data breaches, and loss of integrity. Mishandling of physical or digital media is a common cause of data leaks.
Proper media protection ensures compliance with regulatory requirements and helps maintain data confidentiality and integrity throughout its lifecycle.
If media protection practices are inadequate, establish or update policies for handling, labeling, encrypting, and securely disposing of media. Provide training for personnel and implement logging for access and movement. Use encryption by default and ensure disposal is certified and documented.
Ensuring the secure transmission of data protects sensitive information from being intercepted or tampered with during transit. This is critical for maintaining confidentiality, integrity, and trust in systems handling personal, financial, or operational data.
Unprotected communication channels can be exploited through man-in-the-middle attacks, eavesdropping, or data manipulation, resulting in data breaches and compliance violations.
Implement a comprehensive secure transmission strategy, including mandatory encryption, routine certificate management, secure VPN configurations, and regular audits of all communication channels. Update and enforce policies requiring encrypted communications for all sensitive data exchanges.
Physical access controls prevent unauthorized individuals from entering sensitive areas, protecting hardware, data, and systems from tampering, theft, or destruction. Without physical security, even the best cybersecurity measures can be bypassed.
Environmental controls also protect against hazards such as fire, water damage, or power failure, ensuring systems remain safe and operational.
Implement physical security measures including access badges, surveillance, and visitor management procedures. Ensure environmental safeguards such as fire suppression and power backup are maintained. Conduct regular training and reviews to enforce adherence to policies.
System integrity ensures that systems operate as intended and are free from unauthorized changes or malicious code. It helps maintain trust in the systems’ outputs, prevents corruption of data, and supports continuity of operations.
Monitoring and protecting against unauthorized modifications is crucial for detecting and responding to potential compromises in a timely manner.
Implement file integrity monitoring solutions and ensure anti-malware tools are active and updated. Establish system baselines and perform regular reviews to detect unauthorized changes. Enable alerting and response workflows for detected anomalies.
System and information integrity ensures that flaws, errors, or malicious activity in systems or data are detected and addressed quickly. This control helps minimize the potential damage from vulnerabilities or compromises.
Without timely detection and correction of issues, systems become vulnerable to exploitation, leading to data breaches or system failures.
Establish a routine vulnerability management process and automate patch deployment where feasible. Enhance anti-malware protection, enable real-time alerts, and implement robust email security filtering to catch threats before they affect users or systems.
Planning and monitoring for security ensures that the organization has a defined strategy and framework for protecting its assets and information. This process helps ensure that the necessary safeguards are in place before risks escalate.
Without a solid security plan, organizations may find themselves unprepared to address threats, making it difficult to protect sensitive information or respond to incidents effectively.
If your organization does not have a formal security plan or ongoing risk assessments, prioritize developing a comprehensive security strategy. Ensure that security training is mandatory for all employees and conduct regular security assessments and incident response exercises.