Security controls are measures an organization can take to increase the security of its information technology systems. These include personnel-related activities along with steps like physically securing computers, using aggressive software to identify and remove threats, and protecting the integrity of data. Organizations that handle sensitive data have a duty of care to their clients and shareholders to protect it using such controls. These can also be necessary on computer systems at government agencies, where the release of information could compromise national security.
A number of activities fall under security controls. One is the control of staff members. Companies can use background checks to determine who should have access to information, and may restrict information to a need-to-know basis. Personnel do not need access to data from other sections of a company, for example, and could pose a security risk if they could get to information stored by other departments. Companies can also limit administrative access to make it difficult for employees to change settings that might compromise security.
Computer systems can be kept secure both physically and technologically. Sensitive systems can be kept in locked facilities, and personnel who carry laptops, tablets, and other portable devices may need to exercise precautions to prevent unauthorized access to their equipment. Technical security controls can include firewalls, the use of anti-virus software, and other steps to limit access to a computer and prevent the spread of potential security threats.
A network as a whole also needs to be secure. Individual computers can be weak links in the chain, but so can the network itself. Staff put in charge of security controls maintain a secure network and identify weak points as quickly as possible. They balance the need between tight control and user access. Some controls might be highly beneficial from a security standpoint, but would be hard to implement because they would inconvenience users.
Some organizations may follow generally accepted standards and practices when it comes to security controls. They rely on their personnel to keep their computer systems safe and in regulatory compliance, if applicable. Agencies that hold financial information, for example, need secure databases and networks and can be subject to legal penalties if their systems are not up to standard. Other organizations may develop custom protocols to meet specific needs. A security consultant can assist with the process of developing an appropriate security program for a company.