🔒

Security Controls Overview

Jul 22, 2024

View transcript

Security Controls Overview

Introduction

  • Focus: Different security controls to prevent, minimize impact, and limit damage in case of security breaches
  • Scope: Protecting data, physical systems, buildings, people, and the organization

Broad Categories of Security Controls

  1. Technical Controls
    • Implemented using technology
    • Examples: Operating system policies, firewalls, antivirus software
  2. Managerial Controls
    • Policies and procedures to manage IT systems and data
    • Examples: Security policy documentation, standard operating procedures
  3. Operational Controls
    • Managed by people
    • Examples: Security guards, awareness programs, posters
  4. Physical Controls
    • Limit physical access
    • Examples: Guard shacks, fences, locks, badge readers

Control Types

1. Preventive Controls

  • Purpose: Limit access to resources
  • Examples:
    • Technical: Firewall rules
    • Managerial: Onboarding policies
    • Operational: Guard checking IDs
    • Physical: Door locks

2. Deterrent Controls

  • Purpose: Discourage unauthorized access
  • Examples:
    • Technical: Application splash screens
    • Managerial: Threat of demotion or dismissal
    • Operational: Front reception desk
    • Physical: Warning signs

3. Detective Controls

  • Purpose: Identify and warn about breaches
  • Examples:
    • Technical: System logs
    • Managerial: Reviewing login reports
    • Operational: Patrolling the property
    • Physical: Motion detectors

4. Corrective Controls

  • Purpose: Correct aftermath of events
  • Examples:
    • Technical: Data recovery from backups
    • Managerial: Policies for reporting issues
    • Operational: Contacting authorities
    • Physical: Using fire extinguishers

5. Compensating Controls

  • Purpose: Temporarily address security gaps
  • Examples:
    • Technical: Firewall rules to block traffic instead of patching an app
    • Managerial: Separation of duties
    • Operational: Multiple security guards
    • Physical: Power generators

6. Directive Controls

  • Purpose: Direct users to secure practices
  • Examples:
    • Technical: File storage policies
    • Managerial: Compliance policies
    • Operational: Security policy training
    • Physical: Signs like 'Authorized Personnel Only'

Summary

  • Flexibility: Examples provided are not exhaustive. Different organizations might have different control types.
  • Evolving Controls: Technology changes may introduce new control types.

Full transcript