Security Control Types and Functions

Domain 1.0: Security Control Types and Functions

Key Objectives

• Understand the role of security controls in information security and cybersecurity assurance.

• Know how to select and implement appropriate security controls.

• Recognize job roles and organizational structures in security program implementation.

Security Control Categories

• Managerial: Oversight and strategic reporting; includes risk assessment and security policies.

• Operational: Day-to-day administration; includes security personnel and standard operating procedures.

• Technical: Controls implemented through hardware/software; examples are firewalls and antivirus software.

• Physical: Prevents, deters, and detects hardware access; includes security cameras, locks, and alarms.

Security Control Functional Types

• Preventive: Reduces likelihood of attacks; operates before an attack; e.g., access controls, anti-malware.

• Detective: Identifies or logs intrusions; operates during an attack; e.g., logs and intrusion detection systems.

• Corrective: Reduces impact after an attack; e.g., backup systems, patch management.

• Directive: Enforces behaviors through policies and training; e.g., employee contracts and training programs.

• Deterrent: Discourages attackers; e.g., warning signs and legal penalties.

• Compensating: Substitutes primary controls, providing similar protection; e.g., network segmentation for legacy systems.