InfoSec Controls, Standards, and Implementation Table
Based on my experience as a software security engineer implementing security products, tools, and policies, I’ve found the following controls to be most relevant. This table outlines how I typically implement these controls, aligning with standards like SOC2, PCI DSS, ISO 27001, CSA STAR-1, and NIST. While not exhaustive, this approach provides a solid foundation for organizations seeking to enhance their security posture across various compliance frameworks.
Technical Control | Relevant Standards | Implementation with Policies and Standards |
---|---|---|
1. Identity and Access Management (IAM) | SOC2: CC6.1, CC6.2, CC6.3 PCI DSS: Req. 7, 8 ISO 27001: A.9 CSA STAR-1: IAM-02, IAM-05, IAM-09 NIST SP 800-53: AC-2, IA-2, IA-5 |
- Implement an IAM policy - Develop access control procedures - Create user provisioning and de-provisioning processes - Establish password policies - Implement multi-factor authentication |
2. Network Security | SOC2: CC6.6, CC6.7 PCI DSS: Req. 1, 11 ISO 27001: A.13 CSA STAR-1: IVS-06, IVS-07, IVS-13 NIST SP 800-53: SC-7, AC-4, SI-4 |
- Develop network security policy - Implement firewall configuration standards - Create IDS/IPS monitoring procedures - Establish VPN usage guidelines - Implement network segmentation |
3. Encryption | SOC2: CC6.7 PCI DSS: Req. 3, 4 ISO 27001: A.10 CSA STAR-1: EKM-02, EKM-03 NIST SP 800-53: SC-8, SC-13, SC-28 |
- Create data classification policy - Develop encryption standards for data at rest and in transit - Establish key management procedures - Implement cryptographic module validation |
4. Endpoint Protection | SOC2: CC6.8 PCI DSS: Req. 5 ISO 27001: A.8 CSA STAR-1: MOS-03, MOS-04, MOS-20 NIST SP 800-53: SI-3, SI-7, CM-7 |
- Implement endpoint security policy - Develop BYOD guidelines - Create malware protection standards - Establish mobile device management procedures - Implement application whitelisting |
5. Logging and Monitoring | SOC2: CC7.2, CC7.3 PCI DSS: Req. 10 ISO 27001: A.12.4 CSA STAR-1: IVS-01, LOG-01 NIST SP 800-53: AU-2, AU-6, SI-4 |
- Develop logging and monitoring policy - Create incident response procedures - Establish alert thresholds and escalation processes - Implement log retention standards - Conduct regular log reviews |
6. Patch and Vulnerability Management | SOC2: CC7.1 PCI DSS: Req. 6 ISO 27001: A.12.6 CSA STAR-1: TVM-02, TVM-03 NIST SP 800-53: RA-5, SI-2, CM-8 |
- Create vulnerability management policy - Develop patch management procedures - Establish vulnerability scanning frequency standards - Implement a responsible disclosure policy - Maintain software/hardware inventory |
7. Secure Development Practices | SOC2: CC8.1 PCI DSS: Req. 6 ISO 27001: A.14 CSA STAR-1: AIS-01, AIS-02 NIST SP 800-53: SA-8, SA-11, SA-15 |
- Implement secure SDLC policy - Develop coding standards - Create change management procedures - Establish security testing requirements - Implement security-focused code reviews |
8. Backup and Recovery | SOC2: CC7.4 PCI DSS: Req. 9, 12.10 ISO 27001: A.12.3, A.17 CSA STAR-1: BCR-01, BCR-02, BCR-03 NIST SP 800-53: CP-9, CP-10, IR-4 |
- Develop backup and recovery policy - Create disaster recovery plan - Establish backup frequency and retention standards - Implement business continuity testing procedures - Conduct regular recovery exercises |
9. Cloud Security | SOC2: CC6.6, CC6.7 PCI DSS: Req. 1, 2, 4 ISO 27001: A.13, A.15 CSA STAR-1: IVS-08, IVS-09 NIST SP 800-53: AC-20, SA-9, SC-7 |
- Develop cloud security policy - Create cloud provider assessment procedures - Establish data residency requirements - Implement cloud configuration standards - Establish cloud service provider oversight |
10. Data Loss Prevention (DLP) | SOC2: CC6.7 PCI DSS: Req. 3, 4 ISO 27001: A.8.2, A.13.2 CSA STAR-1: DCS-01, DSI-02 NIST SP 800-53: SC-7, AC-4, SI-4 |
- Create data handling policy - Develop data classification standards - Establish DLP monitoring procedures - Implement data exfiltration controls - Conduct regular data flow mapping |