What are security controls?
Explore IBM's security controls solution Subscribe to Security Topic Updates
Illustration with collage of pictograms of clouds, mobile phone, fingerprint, check mark
What are security controls?

Security controls are parameters implemented to protect various forms of data and infrastructure important to an organization. Security controls refers to any type of safeguard or countermeasure used to avoid, detect, counteract or minimize security risks to physical property, information, computer systems or other assets.

Given the growing rate of cyberattacks, data security controls are more important today than ever. According to a Clark School study at the University of Maryland, cybersecurity attacks in the U.S. now occur every 39 seconds on average, affecting one in three Americans each year. Furthermore, 43% of these attacks target small businesses. Between March 2021 and March 2022, the average cost of a data breach in the United States was USD 9.44 million.

At the same time, data privacy regulations are growing, making it critical for businesses to shore up their data protection policies or face potential fines. The European Union implemented its strict General Data Protection Regulation (GDPR) rules in 2018. In the U.S., California’s Consumer Privacy Act went into effect on 1 January 2020, with several other states currently considering similar measures.

These regulations typically include stiff penalties for companies that do not meet the requirements. For example, Meta recently reported that it anticipates a fine of more than USD 3 billion from the U.S. Federal Trade Commission for shortcomings around data protection policies that led to several data breaches.

IBM Security® X-Force® Threat Intelligence Index

Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security X-Force Threat Intelligence Index.

Related content

Register for the Cost of a Data Breach report

Types of security controls

Several types of security controls can protect hardware, software, networks and data from actions and events that could cause loss or damage. For example:

  • Physical security controls include such things as data center perimeter fencing, locks, guards, access control cards, biometric access control systems, surveillance cameras and intrusion detection sensors.

  • Digital security controls include such things as usernames and passwords, two-factor authentication, antivirus software and firewalls.

  • Cybersecurity controls include anything specifically designed to prevent attacks on data, including DDoS mitigation and intrusion prevention systems.

  • Cloud security controls include measures that you take in cooperation with a cloud services provider to offer the necessary protection for data and workloads. If your organization runs workloads on the cloud, you must meet their corporate or business policy security requirements and industry regulations.
Security control frameworks and best practices

Systems of security controls, including the processes and documentation defining the implementation and ongoing management of these controls, are referred to as frameworks or standards.

Frameworks enable an organization to consistently manage security controls across different types of assets according to a generally accepted and tested methodology. Some of the best-known frameworks and standards include:

National Institute of Standards and Technology Cyber Security Framework

The National Institute of Standards and Technology (NIST) created a voluntary framework in 2014 to provide organizations with guidance on how to prevent, detect and respond to cyberattacks. The assessment methods and procedures determine whether an organization’s security controls are implemented correctly and operate as intended. They make sure that these controls produce the desired outcome, meeting the organization's security requirements. The NIST framework is consistently updated to keep pace with cybersecurity advances.

Center for Internet Security controls

The Center for Internet Security (CIS) developed a list of high-priority defensive actions that provide a “must-do, do-first” starting point for every enterprise looking to prevent cyberattacks. According to the SANS Institute, which developed the CIS controls, “CIS controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners.”

Organizations can refer to these and other frameworks to develop their own security framework and IT security policies. A well-developed framework helps make sure that an organization:

  • Enforces IT security policies through security controls
  • Educates employees and users about security guidelines
  • Meets industry and compliance regulations
  • Achieves operational efficiency across security controls
  • Continually assesses risks and addresses them through security controls

A security solution is only as strong as its weakest link. Therefore, you should consider multiple layers of security controls, also known as a defense-in-depth strategy, to implement security controls across identity and access management, data, applications, network or server infrastructure, physical security and security intelligence.

Security controls assessments

A security controls assessment is an excellent first step for determining where any vulnerabilities exist. A security controls assessment enables you to evaluate your current controls to determine they are implemented correctly, operating as intended and meeting your security requirements.

NIST Special Publication 800-53 created by NIST acts as a benchmark for successful security control assessments. The NIST guidelines serve as a best practice approach that, when applied, can help mitigate the risk of a security compromise for your organization. Alternatively, your organization can also create its own security assessment.

Some key steps for creating a security assessment include:

  • Determining the target systems: Create a list of IP addresses that you need to scan in your network. The list should contain IP addresses of all the systems and devices connected in your organization’s network.

  • Determining the target applications: List the web applications and services that you need to scan. Determine the type of web application server, web server, database, third-party components and technologies used to build existing applications.

  • Conducting vulnerability scanning and reporting: Keep network teams and IT teams informed of all assessment activity, because a vulnerability assessment can occasionally create bursts in network traffic when loading the target servers with requests. Also, obtain the unauthenticated pass-through for scanner IPs across the organization network and make sure that the IPs are whitelisted in IPS/IDS. Otherwise, the scanner can trigger a malicious traffic alert, resulting in its IP being blocked.

Read more about how to assess the vulnerability of your enterprise’s applications and network by creating your own security assessment.

Related solutions
IBM Cloud®

IBM Cloud® with Red Hat® offers market-leading security, enterprise scalability and open innovation to unlock the full potential of cloud and AI.

Explore IBM Cloud
Cost of a Data Breach Report 2023

Read the Cost of a Data Breach Report 2023, now in its 18th year, to get the latest insights into the threat landscape and recommendations to save time and limit losses.

Video: What is a DDoS attack?

Watch the video to learn what DDoS attacks are, how they work and how they affect applications and the user experience.

Take the next step

Designed for industry, security and the freedom to build and run anywhere, IBM Cloud is a full stack cloud platform with over 170 products and services covering data, containers, AI, IoT and blockchain. Use IBM Cloud to build scalable infrastructure at a lower cost, deploy new applications instantly and scale up workloads based on demand.

Explore IBM Cloud Start for free