Categories of Security Controls

Jun 14, 2024

Take quiz

Categories of Security Controls

Introduction

  • Security Risks: There are myriad security risks in IT and physical security to protect data, systems, buildings, and people.
  • Purpose of Controls: Mitigate impacts of security events and limit damage if breaches occur.

Broad Categories of Security Controls

1. Technical Controls

  • Definition: Implemented using technical systems.
  • Examples: Policies and procedures within operating systems, firewalls, antivirus software.

2. Managerial Controls

  • Definition: Written policies and procedures explaining best practices for managing systems and data.
  • Examples: Security policies, standard operating procedures.

3. Operational Controls

  • Definition: Managed by people rather than technology.
  • Examples: Security guards, awareness programs, posters.

4. Physical Controls

  • Definition: Restrict physical access to places or devices.
  • Examples: Guard shacks, fences, badge readers.

Types of Controls

1. Preventive Controls

  • Purpose: Limit access to resources.
  • Examples:
    • Technical: Firewall rules
    • Managerial: Policies for onboarding
    • Operational: Guard shack ID checks
    • Physical: Door locks

2. Deterrent Controls

  • Purpose: Discourage attacks.
  • Examples:
    • Technical: Splash screens with security info
    • Managerial: Threats of demotion/dismissal
    • Operational: Front desk receptions
    • Physical: Warning signs

3. Detective Controls

  • Purpose: Identify and warn about breaches.
  • Examples:
    • Technical: System log reviews
    • Managerial: Reviewing login reports
    • Operational: Property patrols
    • Physical: Motion detectors

4. Corrective Controls

  • Purpose: Actions taken after event detection to mitigate damage.
  • Examples:
    • Technical: System backup recovery
    • Managerial: Policies for issue reporting
    • Operational: Contacting law enforcement
    • Physical: Fire extinguishers

5. Compensating Controls

  • Purpose: Alternative measures when standard controls are unavailable.
  • Examples:
    • Technical: Firewall rules to block vulnerabilities
    • Managerial: Separation of duties
    • Operational: Multiple security staff
    • Physical: Backup power generator

6. Directive Controls

  • Purpose: Guide behavior towards more secure practices.
  • Examples:
    • Technical: File storage policies
    • Managerial: Compliance policies
    • Operational: Security policy training
    • Physical: Signs indicating authorized personnel only

Important Notes

  • Adaptability: Controls and their categories can evolve with technology and organizational practices.
  • Customization: Different organizations may use different sets of controls.