1.1 - CompTIA Security+

Control categories

Technical

• Technical controls: Controls implemented using a technical system (e.g., software, hardware, operating systems).

Managerial

• Managerial controls: Controls based on a series of policies that explain to people how to use data, computers, and systems.

Operational

• Operational controls: Controls that use people/human activities to ensure that security measures are followed effectively (e.g., security guards, awareness training).

Physical

• Physical controls: Controls that limit someone’s access to a physical location, room, or device.

Control types

Preventive

• Preventive controls: Controls that limit someone’s access to a resource, and/or prevent security incidents before they occur (e.g., a guard shack or a password).

Deterrent

• Deterrent controls: Security controls designed to discourage unauthorized actions by highlighting risks or consequences (e.g., splash screens, CCTV cameras).

Detective

• Detective controls: Security controls designed to identify unauthorized actions as they occur (e.g., intrusion detection systems, endpoint logs, motion detectors).

Corrective

• Corrective controls: Security controls designed to restore systems after an incident/breach (e.g., antivirus software, intrusion prevention systems).

Compensating

• Compensating controls: Security controls designed to replace (normally for a short time), systems that have been affected by a security incident (e.g., power generators, a firewall rule to block a vulnerability with no update).

Directive

• Directive controls: Security controls where you direct someone to do something more secure rather than less secure (e.g., storing information on a secured folder rather than in an insecure folder, placing an “AUTHORIZED PERSONNEL ONLY” sign on a door).