IT Security Controls Lecture Notes

Introduction

• IT security involves preparing for various security risks.
• Protects data, systems, buildings, people, and organizational assets.
• Focus on security controls to prevent, minimize, and limit damage from events.

Categories of Security Controls

1. Technical Controls

   • Implemented using technical systems.
   • Examples: Operating system policies, firewalls, antivirus software.

2. Managerial Controls

   • Policies explaining management of computers, data, and systems.
   • Examples: Security policies, onboarding policies.

3. Operational Controls

   • Managed by people rather than technology.
   • Examples: Security guards, awareness programs, monthly training.

4. Physical Controls

   • Limit physical access to spaces.
   • Examples: Guard shacks, fences, locks, badge readers.

Types of Security Controls

Preventive Controls

• Purpose: Limit access to resources.
• Examples:
  • Technical: Firewall rules.
  • Managerial: Onboarding policies.
  • Operational: Guard checking IDs.
  • Physical: Door locks.

Deterrent Controls

• Purpose: Discourage security breaches.
• Examples:
  • Technical: Splash screens with security info.
  • Managerial: Threat of demotion.
  • Operational: Reception desks.
  • Physical: Warning signs.

Detective Controls

• Purpose: Identify and log security breaches.
• Examples:
  • Technical: System logs.
  • Managerial: Reviewing logs.
  • Operational: Patrolling property.
  • Physical: Motion detectors.

Corrective Controls

• Purpose: Correct security breaches post-event.
• Examples:
  • Technical: Restoring from backups.
  • Managerial: Issue reporting policies.
  • Operational: Contacting law enforcement.
  • Physical: Fire extinguishers.

Compensating Controls

• Purpose: Provide temporary measures post-event.
• Examples:
  • Technical: Firewall rules for unpatched vulnerabilities.
  • Managerial: Separation of duties.
  • Operational: Multiple security staff.
  • Physical: Use of generators.

Directive Controls

• Purpose: Direct actions for improved security.
• Examples:
  • Technical: File storage policies.
  • Managerial: Compliance policies.
  • Operational: Security policy training.
  • Physical: Signs like "Authorized Personnel Only".

Conclusion

• Various examples provided for different controls and categories.
• New control types may emerge with evolving technology and security processes.
• Organizational security controls may differ across different entities.