IT Security Lecture Notes

Introduction to Security Controls

• IT Security involves preparing for various security risks.
• Protects data, physical systems, buildings, people, and organizational assets.
• Focus: Preventing events, minimizing impact, limiting damage.

Categories of Security Controls

1. Technical Controls

   • Implemented using technical systems.
   • Examples: Operating system policies, firewalls, antivirus software.

2. Managerial Controls

   • Policies and procedures guiding management of computers, data, systems.
   • Implemented into standard operating procedures.

3. Operational Controls

   • Managed by people.
   • Examples: Security guards, awareness programs.

4. Physical Controls

   • Limit physical access to buildings, rooms, devices.
   • Examples: Guard shacks, fences, locks, badge readers.

Types of Security Control

1. Preventive Controls

   • Prevent access to resources.
   • Examples:
     • Firewall rules (Technical)
     • Onboarding policies (Managerial)
     • Guard checks (Operational)
     • Door locks (Physical)

2. Deterrent Controls

   • Discourage or delay attacks.
   • Examples:
     • Splash screens (Technical)
     • Threat of demotion (Managerial)
     • Reception desk (Operational)
     • Warning signs (Physical)

3. Detective Controls

   • Identify and alert on breaches.
   • Examples:
     • System logs (Technical)
     • Reviewing login reports (Managerial)
     • Patrols (Operational)
     • Motion detectors (Physical)

4. Corrective Controls

   • Respond and mitigate post-event.
   • Examples:
     • Backups (Technical)
     • Issue reporting policies (Managerial)
     • Law enforcement contact (Operational)
     • Fire extinguishers (Physical)

5. Compensating Controls

   • Temporary measures when direct controls fail.
   • Examples:
     • Firewall rules for un-patched applications (Technical)
     • Separation of duties (Managerial)
     • Multiple security guards (Operational)
     • Power generators (Physical)

6. Directive Controls

   • Provide guidance on desired behavior.
   • Examples:
     • Encrypted file storage policies (Technical)
     • Compliance policies (Managerial)
     • Security policy training (Operational)
     • Signs (Physical)

Conclusion

• Security controls can fit under different categories based on context.
• Evolution of technology may introduce new control types.
• Security controls vary between organizations.