15. Explain how to apply controls (AC 4.1)

There are many different ways of applying security controls. It ranges from very simple ones, like encrypting a folder with File Explorer or more involved way which could involve hiring a specialised company to install new hardware and software firewall. It all depends on your needs. The first step before applying any security control, is to fully access the situation, this may involve talking to the IT department, or the management. You'll need to consider time, and money restraints. Determine exactly what control is needed, and what needs protecting. After this, the appropriate security control is chosen and then applied. If it's an easy solution, such as installing a new anti-virus, it can be as easy as going through the installation wizard and installing it on the right systems. If it's a more complex issue, and higher level or expertise is required, the steps will be more involved, or alternatively. You can outsource it to a contractor. Such as this company, that's local to me. The next step is to test that the newly installed security controls are doing their job. For example, if your problem was with phishing, you can test it by sending a lot of phishing emails. The new security controls - anti-phishing software - should automatically detain some of these phishing emails, and the mandatory cyber security training that all staff attended, should help significantly with users clicking on these malicious links.