Technology controls can also be known as a procedure or policy that provides a reasonable assurance that the information technology used by an organization operates as intended, that data is reliable and the organization is in compliance with applicable laws and regulations.
In Information Technology, we use controls as a check on business processes and these can be physical (security cameras, badges, etc.) or logical (part of the software). The following is a very general example showing how a logical control works to support a business requirement and control the separation of duties.
Sue has rights only to change the application code in the local environment and should not have the right to change any code in the production environment. Similarly, Don is into Testing and will have rights for testing the application only. As part of the logical control, the system would function so that Sue doesn’t even see the button to migrate to production; accordingly, Don’s screen would not have the edit source code button. This control is defined both in the physical structure of the organization and in the computer logic of the system.
Industrial Incorporation of Technology Controls
With the increase in Cybersecurity attacks, many industries have been trapped in their claws ranging to a huge loss to organizations. A report on the increase in cybercrime in 2020 by StanfieldIT has analyzed the cost for cybercrime to increase by $6 trillion in the future.
The Banking Industry is one of the highly sensitive areas for hackers need to keep their Controls very safe. A study performed by Schneiderdowns has detailed banking industry IT controls. This study classifies Technology Controls as General Controls and Application controls, where General Controls include controls over data center operations, system software acquisition, and maintenance.
And application controls include computer matching and edit checks are programmed steps within application software, they are designed to help ensure the completeness and accuracy of transaction processing, authorization, and validity.
Types of Technology Controls
There are various Technology Controls that can be used to secure the information without much effort. They can be defined as follows
A Research paper defines firewalls as “A collection of components or a system that is placed between two networks and possesses the following properties:
- All traffic from inside to outside, and vice-versa, must pass through it.
- Only authorized traffic, as defined by the local security policy, is allowed to pass through it.
- The firewall itself is immune to penetration”
The firewall represents an indispensable technical component for network security concepts today, ranging from simple packet filters all the way up to powerful solutions with the direct support of specialized industrial protocols. Firewall designs, which range from software packages for PCs to industrially hardened products in metal housings for use at the field level, are every bit as diverse. The current threat of attacks plays a large role in this because it is significant in determining the correct technology and deployment location.
It is a long time since firewalls alone have been promoted as sufficient or the only measure for securing information in industrial plants or have even been viewed as synonymous with network security. Firewalls continue to represent core elements in the segmentation of networks and therefore are an essential part of any security strategy with respect to network security.
These requirements stated above can be secured using various applications of firewalls, such as Circuit Proxy, Application Proxy.
Virtual Private Networks is a technology that creates a safe and encrypted connection on the Internet from a device to a network. This type of connection helps to ensure our sensitive data is transmitted safely. It prevents our connection from eavesdropping on the network traffic and allows the user to access a private network securely. This technology is widely used in corporate environments.
A VPN works the same as a firewall like a firewall that protects data locally to a device wherever VPNs protect data online. To ensure safe communication on the internet, data travels through secure tunnels, and VPNs users use an authentication method to gain access over the VPNs server. VPNs are used by remote users who need to access corporate resources, consumers who want to download files and business travelers want to access a site that is geographically restricted. This restricted and secure network provided by VPN is a safe way for organizations to communicate their information and imperative data. The organization should be aware of the cost and limitations before applying this technology to their workplace.
An IDS is a security system that monitors computer systems and network traffic. It analyses traffic for possible hostile attacks originating from the outsider and also for system misuse or attacks originating from the insider.
A firewall does a job of filtering the incoming traffic from the internet, the IDS in a similar way compliments the firewall security. Like, the firewall protects an organization’s sensitive data from malicious attacks over the Internet, the Intrusion detection system alerts the system administrator in the case when someone tries to break in the firewall security and tries to have access to any network in the trusted side.
There are different types of Intrusion Detection systems that can be implemented in an organization based on the requirement. These are Network Intrusion detection system, Host based intrusion detection system, Perimeter Intrusion detection system and VM Based intrusion detection system. These can be used as per the industry and organization needs and depending on the infrastructure being used.
Access control is a process of selecting restrictive access to a system. It is a concept in security to minimize the risk of illicit access to the business or organization. In this, users are granted access permission and certain privileges to a system and resources. Here, users must provide the credential to be granted access to a system. These credentials come in many forms such as password, keycard, the biometric reading, etc. Access control ensures security technology and access control policies to protect confidential information like customer data.
The access control can be categories into two types-
- Physical access control
- Logical access control
Physical Access Control- Physical access control limits access to buildings, rooms, campuses, and physical IT assets.
Logical access control- Logical access control limits connection to computer networks, system files, and data.
The more secure method for access control involves two – factor authentication. The first factor is that a user who desires access to a system must show credentials and the second factor could be an access code, password, and a biometric reading.
The access control consists of two main components: authorization and authentication. Authentication is a process which verifies that someone claims to be granted access whereas an authorization provides that whether a user should be allowed to gain access to a system or denied it.
Apart from basic Technology controls there are various understandings as published in different research articles, which are to be incorporated in the routine activities to ensure the security and safety of information. It is also dependent on the industry to accommodate these regular actions and secure their organizations from the flaring attacks.