Security Controls and Their Categories

Introduction

• Objective: Discuss different security risks and how to prevent them
• Protecting: Data, physical systems, buildings, people, entire organization
• Focus: Minimizing impact, limiting damage if breach occurs

Four Categories of Security Controls

1. Technical Controls: Implemented using technical systems
   • Examples: Policies within OS, firewalls, antivirus software
2. Managerial Controls: Policies and procedures documented and implemented
   • Examples: Security policies, standard operating procedures
3. Operational Controls: Managed by people
   • Examples: Security guards, awareness programs, training
4. Physical Controls: Limit physical access
   • Examples: Guard shacks, fences, locks, badge readers

Security Control Types

1. Preventive Controls

• Purpose: Prevent access to resources
• Examples: Firewall rules (technical), guard shacks (operational), door locks (physical)
• Categorization:
  • Firewall rules: Technical
  • Onboarding policies: Managerial
  • Guard shack: Operational
  • Door locks: Physical

2. Deterrent Controls

• Purpose: Dissuade attackers
• Examples: Security splash screens, threat of demotion, reception desks, warning signs
• Categorization:
  • Splash screen: Technical
  • Demotion threat: Managerial
  • Reception desk: Operational
  • Warning signs: Physical

3. Detective Controls

• Purpose: Identify or warn of breaches
• Examples: System logs review, login reports, patrolling, motion detectors
• Categorization:
  • System logs: Technical
  • Login reports: Managerial
  • Patrolling: Operational
  • Motion detectors: Physical

4. Corrective Controls

• Purpose: Correct issues after detection
• Examples: Data backup recovery, malware policies, contacting law enforcement, fire extinguishers
• Categorization:
  • Backup recovery: Technical
  • Reporting policies: Managerial
  • Contacting authorities: Operational
  • Fire extinguishers: Physical

5. Compensating Controls

• Purpose: Temporary fixes until permanent solution
• Examples: Firewall rules for software vulnerabilities, separation of duties, multiple security guards, power generators
• Categorization:
  • Blocking traffic: Technical
  • Separation of duties: Managerial
  • Multiple security staff: Operational
  • Power generator: Physical

6. Directive Controls

• Purpose: Direct actions for higher security
• Examples: Storing sensitive data in encrypted folders, compliance policies, security training, 'authorized personnel only' signs
• Categorization:
  • File storage policies: Technical
  • Compliance policies: Managerial
  • Security training: Operational
  • 'Authorized personnel only' signs: Physical

Summary

• Flexibility: Controls and categories change with technology and organizational needs
• Practical Application: Examples provided are just one way to categorize, many more exist
• Evolution: Security controls must evolve with changing technology and security processes