Section 3: Security Control Categories and Types

Technical Controls

aka logical security controls, are mechanisms in hardware, software, and firmware that automate the process of preventing, detecting, and responding to security threats.

Technical Controls includes

Access Control Mechanisms, Firewalls, IDS & IPS, Encryption, VPN, Anti-virus & Anti-malware

Managerial Controls

aka admin controls, are the policies, procedures, and guidelines that govern the behavior of people within an org and operation of IT systems

Managerial Controls include

risk management, security policies & procedures, Incident Response and Recovery plans, BCP and DR

Operational Controls

are the day to day methods and procedures that are implemented by an organization to ensure and maintain the security of its info and assets.

Operational Controls include

Security Awareness training, Physical media protection

Physical Controls

Measures taken to protect actual hardware and facilities that house the systems, networks, and data.

Physical Controls include

lighting, signs, fences, cameras, security guards

Security Control Types

• Preventative

• Detective

• Deterrent

• Directive

Preventative

attempts to stop a security incident from occurring (firewalls, encryption, access control, IPS)

Detective controls

attempts to detect events that resulted in a security incident (IDS, SIEM, video surveillance, motion detection)

Corrective controls

attempts to remediate an incident that has occurred (UPS, restoring backups, incident response procedures)

Deterrent controls

attempts to discourage a threat (guard dog, cameras, barbed wire)

Directive controls

provides directions on how to systems (procedures, policies)

Compensating controls

provides alternate controls when the primary control is not sufficient (segregation of duties)

Layered Security

aka defense in depth; is an information assurance concept where multiple layers of security controls (defensive mechanisms) are placed throughout an IT system.