Understanding Security Controls and Their Categories

May 19, 2025

Security Controls and Their Categories

Overview

  • IT security involves preparing for various security risks.
  • Protecting data, physical systems, buildings, people, and everything in an organization.
  • Focus on preventing events, minimizing their impact, and limiting damage.

Categories of Security Controls

1. Technical Controls

  • Implemented using technical systems.
  • Examples: Policies in operating systems, firewalls, antivirus software.

2. Managerial Controls

  • Policies and procedures set by management.
  • Used in security policy documentation and standard operating procedures.

3. Operational Controls

  • Involves people managing the controls.
  • Examples: Security guards, awareness programs, monthly training.

4. Physical Controls

  • Limits physical access to buildings, rooms, or devices.
  • Examples: Guard shacks, fences, locks, badge readers.

Types of Security Controls

Preventive Control Types

  • Limits access to resources.
  • Examples:
    • Technical: Firewall rules.
    • Managerial: Onboarding policies.
    • Operational: Guard shack inspections.
    • Physical: Door locks.

Deterrent Control Types

  • Discourages unauthorized access.
  • Examples:
    • Technical: Splash screens with security info.
    • Managerial: Threats of demotion.
    • Operational: Reception desk.
    • Physical: Warning signs.

Detective Control Types

  • Identifies and alerts to breaches.
  • Examples:
    • Technical: System logs.
    • Managerial: Reviewing login reports.
    • Operational: Property patrols.
    • Physical: Motion detectors.

Corrective Control Types

  • Occur post-event to reverse impact.
  • Examples:
    • Technical: Data recovery from backups.
    • Managerial: Policies for issue reporting.
    • Operational: Contacting law enforcement.
    • Physical: Fire extinguishers.

Compensating Control Types

  • Temporary measures when resources are lacking.
  • Examples:
    • Technical: Firewall rules instead of patching.
    • Managerial: Separation of duties.
    • Operational: Multiple security guards.
    • Physical: Power generators.

Directive Control Types

  • Guides behavior towards security.
  • Examples:
    • Technical: File storage policies.
    • Managerial: Compliance policies.
    • Operational: Security training courses.
    • Physical: "Authorized Personnel Only" signs.

Conclusion

  • Examples provided are just a few among many that fit different categories.
  • Technology evolution may introduce new control types.
  • Security controls can vary between organizations.

Full transcript