1.1 - Security Controls

Security Control Categories

• Technical: Controls involving technology, such as firewalls, encryption, intrusion detection systems, and antivirus software. These controls are implemented through hardware or software solutions to protect systems.
• Managerial: Controls involving administrative processes, like risk assessments, security policies, and standard operating procedures (SOP). These are strategic controls that ensure security objectives are met.
• Operational: Controls that are related to day-to-day procedures and activities, such as incident response, security awareness training, and security guards. They help ensure secure operations are consistently carried out.
• Physical: Controls that involve physical security, such as fences, CCTV cameras, barriers to entry, and keycard access systems, to protect against physical threats.

Control Types

• Preventative: Controls designed to prevent security incidents before they occur by blocking unauthorized actions. Example: Firewalls or user access controls.
• Corrective: Actions taken after a security incident to restore systems to normal functionality or minimize damage. Example: Restoring data from backups after a ransomware attack.
• Deterrent: Controls that discourage or reduce the likelihood of a security incident by increasing perceived risk. Example: Security cameras and warning signs.
• Directive: Controls that provide clear guidance to ensure secure behaviors. Example: Policies that specify access protocols or "Authorized Personnel Only" signs.
• Compensating: Alternative measures used when primary controls are not feasible or fail. Example: Using a backup generator if the primary power source is disrupted.
• Detective: Controls that identify and record potential security incidents. Example: Intrusion detection systems (IDS) or monitoring and logging network traffic.

Technical

Technical controls are implemented through technology, such as operating systems, firewalls, encryption protocols, and antivirus software, to secure systems and data.

Managerial

Managerial controls involve administrative processes, such as security policies, risk management plans, and standard operating procedures (SOP), to govern security practices.

Operational

Operational controls involve human-centric actions, such as employee security training, incident response procedures, and deployment of security personnel, to ensure security practices are followed daily.

Physical

Physical controls involve measures that restrict physical access to facilities, such as fences, card readers, security cameras, and barriers to protect physical assets.

Preventative

Preventative controls aim to stop unauthorized access or actions before they happen. Example: Firewalls blocking unauthorized network access or multi-factor authentication for secure logins.

Deterrent

Deterrent controls are designed to discourage potential attackers or unauthorized actions by increasing perceived risk. Example: Visible security cameras or guard presence at entry points.

Detective

Detective controls are responsible for identifying unauthorized activities or incidents. Example: Security Information and Event Management (SIEM) systems that analyze logs for suspicious activities.

Corrective

Corrective controls are employed to mitigate the impact of a security incident after it has occurred. Example: Restoring systems from a clean backup after a malware attack or applying patches.

Compensating

Compensating controls are used as temporary or alternative solutions when primary security controls are unavailable or insufficient. Example: Implementing a virtual private network (VPN) while the primary network security system is being upgraded.

Directive

Directive controls provide specific guidelines or instructions to ensure secure behavior and practices are followed. Example: Security training programs or policies outlining data handling procedures.