Understanding Security Controls

In this lecture, we explore the different types of security controls used in IT security to protect data, physical systems, and people from potential threats.

Categories of Security Controls

1. Technical Controls

   • Implemented using technology.
   • Examples: Firewalls, antivirus software, operating system policies.

2. Managerial Controls

   • Policies and procedures outlined in security documentation.
   • Guides day-to-day processes.

3. Operational Controls

   • Managed by people.
   • Examples: Security guards, awareness programs, lunch and learns.

4. Physical Controls

   • Limits physical access.
   • Examples: Guard shacks, fences, locks, badge readers.

Types of Security Controls

Preventive Controls

• Function: Limit access to resources.
• Examples:
  • Firewall rules (Technical)
  • Onboarding policies (Managerial)
  • Guard shack (Operational)
  • Door locks (Physical)

Deterrent Controls

• Function: Discourage potential threats.
• Examples:
  • Splash screens (Technical)
  • Demotion threat (Managerial)
  • Reception desk (Operational)
  • Warning signs (Physical)

Detective Controls

• Function: Identify and alert of breaches.
• Examples:
  • System logs review (Technical)
  • Login reports (Managerial)
  • Property patrol (Operational)
  • Motion detectors (Physical)

Corrective Controls

• Function: Reverse or minimize damage post-event.
• Examples:
  • Data recovery from backups (Technical)
  • Issue reporting policies (Managerial)
  • Law enforcement contact (Operational)
  • Fire extinguisher use (Physical)

Compensating Controls

• Function: Alternative measures for security issues.
• Examples:
  • Firewall rules instead of patches (Technical)
  • Separation of duties (Managerial)
  • Multiple security staff (Operational)
  • Power generators (Physical)

Directive Controls

• Function: Direct actions for security compliance.
• Examples:
  • Encrypted file storage policies (Technical)
  • Compliance policies (Managerial)
  • Security training (Operational)
  • Authorized personnel signs (Physical)

Conclusion

• Different organizations may use different security controls.
• As technology and security processes evolve, new control types may emerge.
• The examples given are not exhaustive; numerous scenarios can fit into any control type or category.

Understanding these controls and their categories helps in effectively managing security risks in various environments.