Computer Sciences and Information Technology
This is a cybersecurity course. The rubric is attached

Purpose – In this Assignment, you will look at security controls, and how they are tested.

Assignment Instructions:
Using the Reading, the library, and Internet research, answer or explain the following in a minimum 400-word paper that covers the following and includes three or more APA style references:

Differentiate perimeter controls from internal controls. Give examples.
What controls constitute a defense in depth strategy? Explain.
How are security controls tested and verified?

When it comes to cybersecurity, access control is an important aspect as it determines what can be viewed by authorized personnel within a computing environment. Through such action, risk is minimized within an organization, especially in this era where companies are sensitive of brand image. Perimeter security are man-made barriers aimed at keeping intruders out to regulate access, whereas, internal control is a set of policies made by an organization to safeguard its assets and promote accountability. Perimeter controls limit physical access to the organizations outside environment, buildings, rooms and tangible IT assets. Internal controls on the other hand touches on limited access to data, the network connections and system files (Rouse 2014). Examples of perimeter controls include:
• Firewalls: check the packets of data that move to and fro within the network and decides which ones will be granted access and which ones will be denied access.
• Fences and walls
• Vehicle barriers
• Pedestrian barriers
Examples of internal controls include:
• Vendor Patching: updating software to the latest version to prevent hacking.
• Encryption Policy: specifications of encryption algorithms, key lengths and timings to be used.
• Confidentiality Agreements: a legal document that binds employees to keeping the company information as secrets.
A defense in depth strategy is creation of a system that protects, detects and responds to attacks. Perimeter controls constitute a defense in depth strategy though the implementation of firewalls, routers and Intrusion Detection systems. What a firewall basically does is, it checks the packets of data that move to and fro within the network and decides which ones will be granted access and which ones will be denied access. A set of regulations are normally in place to determine these parameters. Threat protection is a reason why firewalls are proving to be very important. As much as antiviruses provide a solution against viruses, Firewalls provide better protection to guarding a computer against threats. One can choose between an appliance firewall and a client firewall to protect the network as well as the connection to the internet. What an appliance firewall does is, it is configured to monitor all the data that travels on the network within the computer; it is inbuilt within the computer. A client firewall on the other hand ensures that there is a secure connection between the internet and the computer itself. The system is then designed in layers that overlap each other so that prevention, detection and response is realized (Breithaupt & Merkow 2014). Through the use of a layered system, if one layer fails, then there are two more layers that can still be relied upon.
Security controls can be tested through:
• Establishment of Security Metrics: determining the scope of the security program so as to measure performance, determine operational statistics, and compliance goals.
• Vulnerability and Penetration testing: helps the organization to determine the extent of security. Weaknesses are discovered during the vulnerability assessment tests while they are exploited in the penetration tests to determine if possible threats can be launched through the current weaknesses.
• Internal Auditing: the documented organizational policies, as well as stakeholders’ responses to interviews in regard to their understanding of the activities in place with respect to cybersecurity are used to evaluate security control operations (Bakertilly 2017).
Verification can be achieved through constant monitoring of the control environment to make sure that the cybersecurity program is effective within the organization.
In conclusion, it is important to differentiate the roles of internal and external security controls in order to effectively secure an organization’s computing environment. Perimeter controls regulate access to the outside environment while internal controls focus on limiting access to data, network connections, and system files. A defense in depth strategy is the creation of a system that protects, detects, and responds to attacks by implementing overlapping layers of security controls, such as firewalls, intrusion detection systems, and encryption policies. Testing and verifying security controls can be done through the establishment of security metrics, vulnerability and penetration testing, and internal auditing. Through a thorough understanding of the roles of internal and external security controls, organizations can effectively secure their computing environment and minimize risk.
Baker Tilly. (2017). Monitoring and verifying cybersecurity controls effectiveness. Retrieved from
Breithaupt, J., & Merkow, M. (2014). Principle 3: Defense in Depth as Strategy | Information Security Principles of Success | Pearson IT Certification. Retrieved from
El-Toby, B. H. M. (2023). The Role Of Internal And External Control In Evaluating Long-Term Projects For The Investment Budget: An Applied Study At A Public University. resmilitaris, 13(1), 2900-2908.
Amadio Viceré, M. G., & Sus, M. (2023). Differentiated cooperation as the mode of governance in EU foreign policy. Contemporary Security Policy, 1-31.
Martill, Benjamin, and Carmen Gebhard. “Combined differentiation in European defense: tailoring Permanent Structured Cooperation (PESCO) to strategic and political complexity.” Contemporary Security Policy (2022): 1-28.
Upadhyay, D., & Sampalli, S. (2020). SCADA (Supervisory Control and Data Acquisition) systems: Vulnerability assessment and security recommendations. Computers & Security, 89, 101666.
Rouse, M. (2014). What is access control? – Definition from Retrieved from