Security controls help prevent security events, minimize the impact, and limit the damage. They serve as essential components of organization’s defense strategy to protect assets, data, and systems from potential threats. Many security controls can fall into multiple categories.
Control Categories
Technical Controls
Controls implemented through technological systems. Examples of these controls include firewalls, anti-virus, intrusion detection and prevention systems, and backup recovery tools.
Managerial Controls
Controls focused on the implementation of security policies, procedures, and guidelines. Examples of these controls include incident response plans, business continuity plans, acceptable use policy, and data classification policies.
Operational Controls
Controls implemented by people to be used for the operation of the company. Examples of these controls include cybersecurity awareness programs, a reception desk, security policy training, and backup management.
Physical Controls
Controls that are physical. Examples include door locks, warning signs, fences, badge readers, and guard shacks.
Control Types
Preventive
Control types that block access to a resource and prevent access. Examples include firewall rules, enabling door locks, a guard shack checking all identification, and following security policies.
Deterrent
Control types that discourage an intrusion attempt but do not necessarily directly prevent access. Examples include warning signs, a reception or assistant desk, or an application splash screen.
Detective
Control types that identify intrusions and logs the event. Examples include log files, login reports, and motion detectors.
Corrective
Control types that seek to correct a problem and the control is applied after an event has occurred. Examples include restoring backups after a ransomware incident, adding a fire extinguisher if a fire broke out, creating security policies if an incident occurs, and contacting law enforcement.
Compensating
Control types that are implemented if primary controls cannot be fully applied due to constraints. Examples include a block of an application if a patch of the application cannot be applied, implement a separation of duties, and a generator used after a power outage.
Directive
Control types that provide guidance and establish rules for an organization’s security efforts and compliance. Examples include compliance policies, security awareness policies, file storage polices, and data storage policies.
