Data Security Controls and Frameworks

Choosing and deploy security controls

• We use standards, baselines, scoping and tailoring to decide which controls we use, and how we deploy them.

• Different controls are deployed for data at rest and data in motion.

• Some of the standards and frameworks used could be PCI-DSS, ISO27000, OCTAVE, COBIT or ITIL.

Scoping

• is determining which portion of a standard we will deploy in our organization.

• We take the portions of the standard that we want or that apply to our industry, and determine what is in scope and what is out of scope for us.

Tailoring

• is customizing a standard to your organization.

• This could be: we will apply this standard, but we use a stronger encryption (AES 256bit).

Classification

• A system, and the security measures to protect it, meet the security requirements set by the data owner or by regulations/laws.

Accreditation

• The data owner accepts the certification and the residual risk. This is required before the system can be put into production.