1.1 Controls

Security controls (general)

prevent “security events” minimize the impact, and limit the damage

Technical controls

Control category, controls implemented using systems. Software, firewalls, antivirus, operating system controls

Managerial controls

Control category, administrative controls associated with design and implementation, think policies or SOPs

Operational controls

Control category, using people as controls, security guards, awareness training programs

Physical controls

Control category, using physical systems to prevent breaches, fences, guard rails, guard shacks, card readers

Preventive control type

Blocks access to a resource, “you shall not pass“

Preventive control implementation (technical)

Firewall rules

Preventive control implementation (managerial)

following security policies

Preventive control implementation (operational)

enabling door locks

Preventive control implementation (physical)

guard shack checks all IDs

Deterrent control type

Discourages an intrusion, does not prevent

Deterrent control implementation (technical)

Security badges on splash screen

Deterrent control implementation (managerial)

threat of demotion

Deterrent control implementation (operational)

front reception desk

Deterrent control implementation (physical)

posted warning signs

Detective control type

Identifies and logs intrusion attempts, may not prevent access

Detective control implementation (technical)

System logs

Detective control implementation (managerial)

Review login reports

Detective control implementation (operational)

property patrols

Detective control implementation (physical)

motion detectors

Corrective control types

Applies control after a security event has occurred, reverse impact of an event

Corrective control implementation (technical)

Restoring corrupted system via backup

Corrective control implementation (managerial)

Policy for reporting security issues

Corrective control implementation (operational)

Contacting authorities

Corrective control implementation (physical)

fire extinguisher

Compensating control types

Control using other means, additional support for an existing control, may be temporary

Compensating control implementation (technical)

Firewall blocking a specific app

Compensating control implementation (managerial)

implement a separation of duties

Compensating control implementation (operational)

require multiple security staff

Compensating control implementation (physical)

power generator

Directive control types

Direct a subject towards security compliance

Directive control implementation (technical)

File storage policy

Directive control implementation (managerial)

compliance policies

Directive control implementation (operational)

security policy training

Directive control implementation (physical)

signs “authorized personnel only”

Yes

Can some security controls exist in multiple types or categories?