Links between threats and controls

The management does not focus on information security. Responsibilities towards line managers are not assigned. An information security policy and/or ISMS is missing.
Availability: primary, Integrity: primary, Confidentiality: primary

• 5.1 Policies for information security
• 5.4 Management responsibilities
• 5.9 Inventory of information and other associated assets
• 5.29 Information security during disruption
• 5.35 Independent review of information security
• 5.36 Conformance with policies, rules and standards for information security

Line managers do not sufficiently ensure that information security is implemented correctly within their department. The ownership of information systems is not well invested. Security is not a permanent part of projects.
Availability: primary, Integrity: primary, Confidentiality: primary

• 5.2 Information security roles and responsibilities
• 5.4 Management responsibilities
• 5.5 Contact with authorities
• 5.9 Inventory of information and other associated assets
• 5.10 Acceptable use of information and other associated assets
• 5.12 Classification of information
• 5.35 Independent review of information security
• 5.36 Conformance with policies, rules and standards for information security
• 6.3 Information security awareness, education and training

Insufficient attention to security within projects. Within projects (excluding software development) there is insufficient attention to security. This has negative consequences for new systems and processes that are introduced within the organization.
Availability: primary, Integrity: secundary, Confidentiality: primary

• 5.8 Information security in project management
• 5.19 Information security in supplier relationships
• 5.20 Addressing information security within supplier agreements
• 5.21 Managing information security in the ICT supply chain
• 5.22 Monitoring, review and change management of supplier services
• 5.23 Information security for use of cloud services
• 5.30 ICT readiness for business continuity
• 5.37 Documented operating procedures
• 8.6 Capacity management
• 8.27 Secure system architecture and engineering principles
• 8.28 Secure coding
• 8.32 Change management

The employees lack awareness towards information security and do not feel the need to contribute to it.
Availability: primary, Integrity: primary, Confidentiality: primary

• 5.2 Information security roles and responsibilities
• 5.4 Management responsibilities
• 6.1 Screening
• 6.2 Terms and conditions of employment
• 6.3 Information security awareness, education and training
• 6.4 Disciplinary process

Insufficient attention to security when developing software yourself or having it developed leads to a breach of information security.
Availability: primary, Integrity: primary, Confidentiality: primary

• 5.32 Intellectual property rights
• 8.4 Access to source code
• 8.25 Secure development life cycle
• 8.29 Security testing in development and acceptance
• 8.30 Outsourced development
• 8.31 Separation of development, test and production environments
• 8.33 Test information

Information on a system has been made inaccessible because malware (ransomware, wipers) or an attacker has encrypted or deleted this information.
Availability: primary, Integrity: -, Confidentiality: -

• 5.7 Threat intelligence
• 5.15 Access control
• 5.17 Authentication information
• 5.21 Managing information security in the ICT supply chain
• 5.36 Conformance with policies, rules and standards for information security
• 6.3 Information security awareness, education and training
• 8.7 Protection against malware
• 8.8 Management of technical vulnerabilities
• 8.13 Information backup
• 8.22 Segregation of networks
• 8.23 Web filtering

A network service is reduced in availability due to a malicious attack (DoS) or due to an unforeseen increase in the amount of requests or the resources required to handle a request. Requests can come from users, but also from other systems.
Availability: primary, Integrity: -, Confidentiality: -

• 5.7 Threat intelligence
• 5.20 Addressing information security within supplier agreements
• 5.23 Information security for use of cloud services
• 8.6 Capacity management
• 8.14 Redundancy of information processing facilities

Due to insufficient control over the security of private and home equipment and other equipment from third parties, there is a risk of contamination with malware, for example.
Availability: primary, Integrity: -, Confidentiality: -

• 5.19 Information security in supplier relationships
• 5.20 Addressing information security within supplier agreements
• 6.7 Remote working
• 8.1 User endpoint devices
• 8.7 Protection against malware
• 8.20 Networks security
• 8.21 Security of network services
• 8.22 Segregation of networks

Insufficient quality hardware can lead to system failure.
Availability: primary, Integrity: -, Confidentiality: -

• 5.21 Managing information security in the ICT supply chain
• 7.8 Equipment siting and protection
• 7.13 Equipment maintenance
• 8.13 Information backup
• 8.14 Redundancy of information processing facilities

Incorrect configuration of an application can lead to incorrect processing of information.
Availability: secundary, Integrity: primary, Confidentiality: -

• 5.8 Information security in project management
• 5.21 Managing information security in the ICT supply chain
• 5.37 Documented operating procedures
• 8.9 Configuration management
• 8.32 Change management
• 8.34 Protection of information systems during audit testing

Errors in software can lead to system crashes or corruption of information stored in the system.
Availability: primary, Integrity: primary, Confidentiality: -

• 5.8 Information security in project management
• 5.21 Managing information security in the ICT supply chain
• 8.19 Installation of software on operational systems
• 8.27 Secure system architecture and engineering principles
• 8.28 Secure coding
• 8.29 Security testing in development and acceptance
• 8.31 Separation of development, test and production environments
• 8.32 Change management

Errors arise in a system as a result of changes in linked systems.
Availability: primary, Integrity: primary, Confidentiality: -

• 5.8 Information security in project management
• 5.9 Inventory of information and other associated assets
• 5.22 Monitoring, review and change management of supplier services
• 8.8 Management of technical vulnerabilities
• 8.19 Installation of software on operational systems
• 8.30 Outsourced development
• 8.32 Change management

Insufficient knowledge or too little control over other people's work increases the risk of human errors. User interfaces that are not tailored to the user level increase the chance of errors.
Availability: secundary, Integrity: primary, Confidentiality: -

• 5.8 Information security in project management
• 6.3 Information security awareness, education and training
• 8.2 Privileged access rights
• 8.12 Data leakage prevention
• 8.13 Information backup
• 8.23 Web filtering

The lack of a policy on internet use, for example, increases the risk of abuse.
Availability: primary, Integrity: -, Confidentiality: secundary

• 5.10 Acceptable use of information and other associated assets
• 5.32 Intellectual property rights
• 5.36 Conformance with policies, rules and standards for information security
• 6.2 Terms and conditions of employment
• 6.3 Information security awareness, education and training
• 6.4 Disciplinary process
• 8.15 Logging
• 8.19 Installation of software on operational systems
• 8.23 Web filtering

Due to insufficient checks on the issue and incorrect inventory of company assets, there is a chance that the theft will not be noticed or will be noticed too late.
Availability: primary, Integrity: -, Confidentiality: secundary

• 5.9 Inventory of information and other associated assets
• 5.11 Return of assets
• 6.1 Screening
• 7.2 Physical entry
• 7.3 Securing offices, rooms and facilities
• 7.4 Physical security monitoring
• 7.5 Protecting against physical and environmental threats
• 7.8 Equipment siting and protection
• 7.9 Security of assets off-premises
• 8.1 User endpoint devices
• 8.10 Information deletion
• 8.12 Data leakage prevention
• 8.13 Information backup

Due to the lack of sanctions for violating rules, there is a chance that employees will not take the policy measures seriously.
Availability: -, Integrity: secundary, Confidentiality: primary

• 5.4 Management responsibilities
• 6.2 Terms and conditions of employment
• 6.4 Disciplinary process

The admission of external parties, such as suppliers and project partners, can have consequences for the confidentiality of the information available within the premises or via the network.
Availability: -, Integrity: -, Confidentiality: primary

• 5.19 Information security in supplier relationships
• 5.20 Addressing information security within supplier agreements
• 6.1 Screening
• 6.6 Confidentiality or non-disclosure agreements
• 7.3 Securing offices, rooms and facilities
• 7.4 Physical security monitoring

The loss of mobile devices and storage media can lead to a breach of the confidentiality of sensitive information.
Availability: secundary, Integrity: -, Confidentiality: primary

• 6.6 Confidentiality or non-disclosure agreements
• 7.9 Security of assets off-premises
• 7.10 Storage media
• 8.1 User endpoint devices
• 8.10 Information deletion
• 8.12 Data leakage prevention
• 8.24 Use of cryptography

Due to insufficient (possibility of) checking an identity, unauthorized access can be obtained to confidential information. This also includes social engineering, such as phishing and CEO fraud.
Availability: -, Integrity: primary, Confidentiality: primary

• 5.14 Information transfer
• 5.16 Identity management
• 5.17 Authentication information
• 6.1 Screening
• 6.3 Information security awareness, education and training
• 6.4 Disciplinary process
• 7.4 Physical security monitoring
• 7.7 Clear desk and clear screen
• 8.1 User endpoint devices
• 8.2 Privileged access rights
• 8.12 Data leakage prevention
• 8.15 Logging
• 8.26 Application security requirements

Due to insufficient control of employees with special rights, such as system administrators, there is a risk of unauthorized access to sensitive information.
Availability: -, Integrity: primary, Confidentiality: primary

• 5.3 Segregation of duties
• 5.10 Acceptable use of information and other associated assets
• 5.16 Identity management
• 5.19 Information security in supplier relationships
• 5.20 Addressing information security within supplier agreements
• 6.1 Screening
• 6.4 Disciplinary process
• 6.5 Responsibilities after termination or change of employment
• 6.6 Confidentiality or non-disclosure agreements
• 8.2 Privileged access rights
• 8.12 Data leakage prevention
• 8.15 Logging
• 8.16 Monitoring activities
• 8.17 Clock synchronization

Due to a missing, incorrect or unclear process for allocating and taking rights, a person can inadvertently have more rights. These rights can be abused by this person or by others (eg via malware).
Availability: -, Integrity: primary, Confidentiality: primary

• 5.9 Inventory of information and other associated assets
• 5.11 Return of assets
• 5.15 Access control
• 5.16 Identity management
• 5.17 Authentication information
• 5.18 Access rights
• 6.5 Responsibilities after termination or change of employment
• 8.2 Privileged access rights
• 8.3 Information access restriction
• 8.4 Access to source code
• 8.9 Configuration management
• 8.12 Data leakage prevention
• 8.18 Use of privileged utility program
• 8.31 Separation of development, test and production environments

Lack of password policies and employee awareness can lead to the use of weak passwords, the writing of passwords, or the use of the same password across multiple systems.
Availability: -, Integrity: primary, Confidentiality: primary

• 5.17 Authentication information
• 6.3 Information security awareness, education and training
• 8.5 Secure authentication
• 8.12 Data leakage prevention

In the absence of a clear-desk and/or clear-screen policy, access can be gained to sensitive information.
Availability: -, Integrity: secundary, Confidentiality: primary

• 6.3 Information security awareness, education and training
• 7.7 Clear desk and clear screen
• 7.9 Security of assets off-premises
• 8.1 User endpoint devices
• 8.12 Data leakage prevention
• 8.21 Security of network services

Due to a lack of clarity about the confidentiality of information and authority of persons, there is a risk of unauthorized access to sensitive information.
Availability: -, Integrity: secundary, Confidentiality: primary

• 5.9 Inventory of information and other associated assets
• 5.10 Acceptable use of information and other associated assets
• 5.12 Classification of information
• 5.13 Labelling of information
• 5.14 Information transfer
• 5.15 Access control
• 5.33 Protection of records
• 8.12 Data leakage prevention
• 8.26 Application security requirements
• 8.33 Test information

Sensitive information may leak if storage media or systems containing storage media are discarded or offered to third parties for repair.
Availability: -, Integrity: -, Confidentiality: primary

• 5.9 Inventory of information and other associated assets
• 7.10 Storage media
• 7.14 Secure disposal or re-use of equipment
• 8.10 Information deletion
• 8.12 Data leakage prevention

Abuse of vulnerabilities in applications or hardware. Vulnerabilities in applications or hardware are misused (exploits) to gain unauthorized access to an application and the information stored therein.
Availability: -, Integrity: primary, Confidentiality: primary

• 5.6 Contact with special interest groups
• 5.7 Threat intelligence
• 5.8 Information security in project management
• 5.21 Managing information security in the ICT supply chain
• 5.22 Monitoring, review and change management of supplier services
• 5.36 Conformance with policies, rules and standards for information security
• 8.7 Protection against malware
• 8.8 Management of technical vulnerabilities
• 8.12 Data leakage prevention
• 8.15 Logging
• 8.16 Monitoring activities
• 8.22 Segregation of networks
• 8.23 Web filtering
• 8.27 Secure system architecture and engineering principles
• 8.28 Secure coding
• 8.29 Security testing in development and acceptance
• 8.32 Change management

Weaknesses in the security of the (wireless) network are misused to gain access to this network.
Availability: -, Integrity: primary, Confidentiality: primary

• 5.6 Contact with special interest groups
• 5.7 Threat intelligence
• 5.21 Managing information security in the ICT supply chain
• 5.22 Monitoring, review and change management of supplier services
• 7.12 Cabling security
• 8.5 Secure authentication
• 8.8 Management of technical vulnerabilities
• 8.12 Data leakage prevention
• 8.16 Monitoring activities
• 8.20 Networks security
• 8.22 Segregation of networks
• 8.29 Security testing in development and acceptance

Because external parties / suppliers do not have their information security in order, infringements can occur on the information to which they have access.
Availability: -, Integrity: -, Confidentiality: primary

• 5.8 Information security in project management
• 5.19 Information security in supplier relationships
• 5.20 Addressing information security within supplier agreements
• 5.21 Managing information security in the ICT supply chain
• 5.22 Monitoring, review and change management of supplier services
• 5.23 Information security for use of cloud services
• 8.34 Protection of information systems during audit testing

Information that is taken outside the office for permitted use, for example, is no longer properly protected. Also consider Bring Your Own Device (BYOD).
Availability: -, Integrity: -, Confidentiality: primary

• 5.23 Information security for use of cloud services
• 6.7 Remote working
• 7.9 Security of assets off-premises

Sensitive information is retrieved by means of keyloggers or network taps.
Availability: -, Integrity: -, Confidentiality: primary

• 7.1 Physical security perimeters
• 7.2 Physical entry
• 7.8 Equipment siting and protection
• 7.12 Cabling security
• 8.7 Protection against malware
• 8.12 Data leakage prevention

Breach of confidentiality of information by sending information unencrypted.
Availability: -, Integrity: secundary, Confidentiality: primary

• 5.12 Classification of information
• 5.13 Labelling of information
• 5.14 Information transfer
• 5.21 Managing information security in the ICT supply chain
• 6.4 Disciplinary process
• 6.6 Confidentiality or non-disclosure agreements
• 7.10 Storage media
• 8.12 Data leakage prevention
• 8.24 Use of cryptography
• 8.26 Application security requirements

Breach of confidentiality of information due to insufficient control of recipient.
Availability: -, Integrity: -, Confidentiality: primary

• 5.14 Information transfer
• 6.6 Confidentiality or non-disclosure agreements
• 7.10 Storage media
• 8.12 Data leakage prevention
• 8.24 Use of cryptography
• 8.26 Application security requirements

Information is lost due to the medium becoming unreadable or the file format becoming outdated.
Availability: primary, Integrity: -, Confidentiality: -

• 5.33 Protection of records
• 7.10 Storage media
• 8.13 Information backup

Unwanted actions as a result of incorrect company information or receiving incorrect information. This could be as a result of willful act or a mistake.
Availability: -, Integrity: primary, Confidentiality: -

• 5.14 Information transfer
• 5.19 Information security in supplier relationships
• 8.24 Use of cryptography
• 8.26 Application security requirements

There is a risk of misuse of cryptographic keys due to incorrect or missing key management. The use of weak cryptographic algorithms provides a false sense of security.
Availability: -, Integrity: primary, Confidentiality: primary

• 5.31 Legal, statutory, regulatory and contractual requirements
• 8.11 Data masking
• 8.24 Use of cryptography

Legislation in some countries allows the government of such a country to view information stored in the cloud.
Availability: -, Integrity: -, Confidentiality: primary

• 5.21 Managing information security in the ICT supply chain
• 5.22 Monitoring, review and change management of supplier services
• 5.23 Information security for use of cloud services
• 5.31 Legal, statutory, regulatory and contractual requirements

Legislation in some countries allows the government to require access to the data on systems included when visiting that country.
Availability: -, Integrity: -, Confidentiality: primary

• 5.31 Legal, statutory, regulatory and contractual requirements
• 6.3 Information security awareness, education and training
• 6.7 Remote working
• 8.1 User endpoint devices

Legislation in some countries allows governments to demand a copy of cryptographic keys.
Availability: -, Integrity: -, Confidentiality: primary

• 5.31 Legal, statutory, regulatory and contractual requirements
• 8.24 Use of cryptography

The consequences of incidents are unnecessarily large as a result. Within the company there is insufficient network monitoring and there is no central reporting point for security incidents.
Availability: -, Integrity: secundary, Confidentiality: primary

• 5.24 Information security incident management planning and preparation
• 5.25 Assessment and decision on information security events
• 5.26 Response to information security incidents
• 6.8 Information security event reporting
• 8.7 Protection against malware
• 8.15 Logging
• 8.16 Monitoring activities

System administrators do not have enough technical information about the problem to solve it. There is no action plan, which means that the incident continues unnecessarily long.
Availability: primary, Integrity: primary, Confidentiality: primary

• 5.9 Inventory of information and other associated assets
• 5.25 Assessment and decision on information security events
• 5.26 Response to information security incidents
• 5.27 Learning from information security incidents
• 5.28 Collection of evidence
• 5.29 Information security during disruption
• 8.15 Logging
• 8.16 Monitoring activities
• 8.17 Clock synchronization

Causes of incidents are not held accountable for their actions. Managers have insufficient insight into recurring incidents, so that they do not manage them.
Availability: primary, Integrity: secundary, Confidentiality: primary

• 5.24 Information security incident management planning and preparation
• 5.27 Learning from information security incidents
• 5.36 Conformance with policies, rules and standards for information security
• 6.4 Disciplinary process
• 6.8 Information security event reporting

The lack of access passes, visibility of entrances and awareness among employees increases the chance of unauthorized physical access.
Availability: -, Integrity: -, Confidentiality: primary

• 5.29 Information security during disruption
• 7.1 Physical security perimeters
• 7.2 Physical entry
• 7.3 Securing offices, rooms and facilities
• 7.4 Physical security monitoring
• 7.5 Protecting against physical and environmental threats
• 7.6 Working in secure areas
• 7.7 Clear desk and clear screen
• 7.8 Equipment siting and protection

The lack of fire detectors and fire extinguishing equipment increases the consequences of a fire.
Availability: primary, Integrity: -, Confidentiality: -

• 5.29 Information security during disruption
• 5.30 ICT readiness for business continuity
• 7.1 Physical security perimeters
• 7.2 Physical entry
• 7.3 Securing offices, rooms and facilities
• 7.5 Protecting against physical and environmental threats
• 7.7 Clear desk and clear screen
• 7.8 Equipment siting and protection
• 7.11 Supporting utilities
• 8.13 Information backup
• 8.14 Redundancy of information processing facilities

Explosions can cause damage to the building and equipment and casualties.
Availability: primary, Integrity: -, Confidentiality: -

• 5.29 Information security during disruption
• 5.30 ICT readiness for business continuity
• 7.1 Physical security perimeters
• 7.5 Protecting against physical and environmental threats
• 7.7 Clear desk and clear screen
• 7.8 Equipment siting and protection
• 8.13 Information backup
• 8.14 Redundancy of information processing facilities

Flooding can damage computers and other business assets.
Availability: primary, Integrity: -, Confidentiality: -

• 5.29 Information security during disruption
• 5.30 ICT readiness for business continuity
• 7.1 Physical security perimeters
• 7.5 Protecting against physical and environmental threats
• 7.7 Clear desk and clear screen
• 7.8 Equipment siting and protection
• 7.11 Supporting utilities
• 8.13 Information backup
• 8.14 Redundancy of information processing facilities

Contamination of the environment can lead to the organization being (temporarily) unable to work.
Availability: primary, Integrity: -, Confidentiality: -

• 5.29 Information security during disruption
• 5.30 ICT readiness for business continuity

Failure of facility resources can mean that one or more business units can no longer do their job.
Availability: primary, Integrity: -, Confidentiality: -

• 5.30 ICT readiness for business continuity
• 7.11 Supporting utilities
• 7.12 Cabling security
• 8.14 Redundancy of information processing facilities

Damage to or destruction of company property as a result of an undirected action, such as vandalism or rodents.
Availability: primary, Integrity: -, Confidentiality: -

• 7.4 Physical security monitoring
• 7.5 Protecting against physical and environmental threats
• 7.8 Equipment siting and protection
• 7.11 Supporting utilities
• 7.12 Cabling security

The unavailability of third-party services due to system failure, bankruptcy, unplanned contract termination or unacceptable changes in services (for example, due to a company takeover).
Availability: primary, Integrity: -, Confidentiality: -

• 5.8 Information security in project management
• 5.22 Monitoring, review and change management of supplier services
• 5.23 Information security for use of cloud services
• 5.30 ICT readiness for business continuity
• 5.37 Documented operating procedures
• 8.14 Redundancy of information processing facilities

Security patches will no longer be issued for software that is no longer supported. Also think of Excel and Access applications.
Availability: primary, Integrity: -, Confidentiality: -

• 5.8 Information security in project management
• 5.22 Monitoring, review and change management of supplier services
• 5.30 ICT readiness for business continuity
• 5.37 Documented operating procedures
• 8.28 Secure coding
• 8.30 Outsourced development

Employees who leave the company or who cannot be deployed for a long time due to an accident possess knowledge that is therefore no longer available.
Availability: primary, Integrity: -, Confidentiality: -

• 5.22 Monitoring, review and change management of supplier services
• 5.37 Documented operating procedures