Targeted business outcomes
Companies use security controls to mitigate or act as countermeasures against risks to its IT systems. Controls define the baseline of requirements to satisfy the main security objectives of an IT program and its security strategy. Having controls in place improves a company’s security posture by protecting the confidentiality, integrity, and availability of its data and IT assets. Without controls, it would be difficult to know where you need to focus and invest to establish a security baseline.
Security controls can be used to address a variety of scenarios. Examples include meeting requirements that stem from risk assessments, achieving industry standards, or complying with regulations. Satisfying security controls demonstrates that you have measured the risk to a system, determined the level of protection needed, and proactively implemented solutions. Additional factors, such as business, industry, and geography, can all dictate the security controls that you need.
The following are common use cases for implementing security controls:
-
A security assessment of an application has identified the need for access controls based on the sensitivity of data that is being processed.
-
You must comply with security standards, such as Payment Card Industry Data Security Standard (PCI DSS), HIPAA (Health Insurance Portability and Accountability Act), or National Institute of Standards and Technology (NIST).
-
You need to protect sensitive information for business transactions.
-
Your company has expanded into a geographical region that requires security controls, such as a region that requires compliance with General Data Protection Regulation (GDPR).
After reading this guide, you should be familiar with the four types of security controls, understand how they are part of your security governance framework, and be prepared to start implementing and automating security controls in the AWS Cloud.
