Part Five: Control Strategies
Start course

This course explores risk analysis and prepares you for the CISM examination, which will cover the significant aspects of risk. We'll cover different risk levels and types of risk and how they can potentially affect an organization. We also look at the risk assessment cycle and the stages required when analyzing risk. You'll also learn about the various risk analysis methods available. Then we'll move on to how risk analysis can be used when planning and deploying risk controls and countermeasures.

If you have any feedback relating to this course, please contact us at

Learning Objectives

  • Identify risk levels and potential impact of given risks upon the assets
  • Learn about the risk assessment cycle
  • Learn about different risk analysis methods including qualitative, semiquantitative, quantitative, OCTAVE, and FAIR
  • How to use risk analysis to control threats and risk
  • Define a strategy for deploying risk countermeasures

Intended Audience

This course is intended for those looking to take the CISM (Certified Information Security Manager) exam or anyone who wants to improve their understanding of information security.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


With regard to control and counter measure selections, we must begin by defining the strategy in which they will be employed. We must therefore consider risk and tolerance, the business mission, control objectives, and any regulatory requirements for controls that will have to be put in place. Once we have this determined, we can then begin the process of deciding which controls will best suit this mixture of possibly competing objectives.

As I said before, what we are attempting to do is implement a proper control strategy to protect the identified asset base, do so on balance with the business mission, and accomplish it all in a cost effective and operationally effective manner. There are several principles at work here. One of which is to try to automate as much as we reasonably can.

There are several functions that controls perform that simply cannot be done by a human being. For example, we have malware detection and removal. This cannot be done by a person without them reading every single packet of traffic passing by to find which one has the hostile malware. There are other forms of automation that are quite common as well, such as firewalls and intrusion detection systems. Employing this form of automation as much as is reasonably possible will eliminate the possibility of human error in these cases.

Here are some other examples of automation. The access control system which performs identity management in a variety of aspects will include the functions of identification, authentication, authorization, and accountability establishment. On the slide you see two different systems which perform this function.

MAC, a form of rule-based access control standing for mandatory access control, and DAC, a form of identity-based discretionary access control. We have the principle of how system failures will be dealt with. Two basic forms of failure are considered. We have fail open, which is an insecure way of failing, and failing closed, which is a secure way of failing.

In the case of failing open with a physical control it may be preferable to do so to avoid harm to a human being. With fail closed it may be preferable to do so to avoid escape or the ability of a hacker to a system to circumvent controls when the system is in a semi-disabled state.

When we configure systems, as we frequently do with networks, we choose compartmentalizing various systems aspects, such as data repositories, and operating systems partitions. In all such cases there should be transparency of controls function to ensure that none of these controls become what are called black boxes. And when it comes to the question of trust generally we employ the principle of verification of the object or subject before trust can be employed. This will require authentication of that party to establish the basis of trust.

Another mechanism that may be used is segregation of duties and separation of duties together making certain that the levels of authority and combinations of access do not create conflicts of interest. One subject that has to be addressed is also ensuring that the control being chosen has sufficient strength to handle the order of magnitude of the threat intended. This rule will apply regardless of whether the control is automated or human-driven.

In the event of an automated control cannot be found of an appropriate strength to deal with a given set of circumstances, it may be better to rely on a manual process. For example, the use of facial recognition as a biometric authentication mechanism may require employing the person to look at the faces in order to determine appropriate identities rather than trusting to biometrics and their image recognition or dimensional measurements.

It is entirely possible that mistakes will be made and that performance will be much slower than an automated system might provide. In the end however, this may prove more effective than an automated method and may therefore be more desirable.

This is an example where the strength may be in the form of implementation employing a human element rather than an automated one. Strength itself may be inherent in the control type. Take for example two iron bars, one being an inch in diameter, the second being a millimeter in diameter, both are iron bars, both are made of iron and both have a certain measurement of strength. And though similar in many respects the smaller one could not be substituted for the larger one under many conditions likely to be encountered.

This type of functionality desired should also be considered when considering strength as a primary element of the controls in a particular application. When we get to the point of making control recommendations several elements must also be considered in the recommendation being made. These will include effectiveness, compatibility with other system components, effectiveness in achieving regulatory compliance, compliance with organizational policy, cultural acceptance, safety and reliability, and finally operational impact.

The primary consideration of course must be the operational effectiveness of the control being evaluated or recommended. Along with this must be considered the cost effectiveness as well. When we consider physical or environmental controls we must consider additional elements that may not be necessary when considering technological or administrative control types.

Violation of physical security, for example, could render other systems useless through some form of physical damage or interference with the system's operation. If for example, access to a computer operator console can only be done by having access to the room in which they're set, it may not be possible to damage the systems if the person seeking to do so cannot get into the room. This is another case of defense in depth where a physical control and an electronic or technological control must work together to prevent the ultimate objective of the attacker.

In this particular example, different forms of security controls and counter measures are going to be employed. For example there may be the need to employ identification badges which may also act as physical access control cards. We will have various forms of other detective and preventive controls such as closed-circuit TV cameras, security guards, and various forms of sensors and locks. This is of course the need to protect the environment itself.

Data centers contain many millions of dollars quite often in sensitive equipment. And this equipment can be damaged by failure to control the temperature, humidity, and air purity. Also required will be the fire suppression systems to ensure that if a fire should begin it can then be extinguished rapidly with, hopefully, a minimum loss of equipment and ideally no loss of human life.

In looking at other attributes of controls we find that some have inherent controls or security measures built into them. Technologies such as servers, databases, routers, and switches all have the ability to implement various levels and types of controls to protect themselves already built in.

There may also be forms of supplemental controls that can be added on later. These might include a federated identity management system or a single sign-on type of access control system. We also have, of course, the intrusion prevention system and the firewall.

There are supporting controls that can be added to provide additional visibility or capability to the overall security program. These would include various forms of compliance monitoring, system information, and event management systems, and vulnerability scanning types of tools. We come now to the end of our current section.

We're going to pause here before moving on. So be sure to join us again when we begin the next session. Thank you.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.