Security Controls
By Luis G. Carrillo

NIST 800-30 is a Special Publication developed by the National Institute of Standards and Technology.  Its main goal is to serve as a Risk Management Guide for Information Technology Systems. It provides the basis for developing and implementing effective risk management programs. This guide was first published in 2002 and is supported by other major organizations, including the US Department of Commerce.
It includes a complete step-by-step strategy that allows companies to mitigate any problem. The following diagram summarizes this strategy.

According to this guide, there are three classes of controls that can be implemented.

1. Technical. This control is designed to protect against any type of threats. Some examples are: Supporting, prevention, and detect and recover.
2. Management. This class of control is employed to manage and reduce the potential damage that can hurt the organization in the process of achieving its goal and mission. Some examples are: Employee training, mitigation plans, and business procedures.
3. Operational. This class includes guidelines and controls designed to ensure the accomplishment of security procedures responsible for managing the use of organization’s IT assets and resources. It also verifies that all resources are properly implemented and according to the organizational goals and mission. Examples of this class of control are: Physical access to facilities, personnel assigned areas, and backups.

The main goal of implementing these controls is to ensure the application of one or more control elements. This will ensure the minimum residual risk. This goal is depicted in the following picture.