Security Controls¶
Controls can be broken down into categories and types. The types define the type of action taken.
Categories:
- Technical: Controls implemented via hardware or software (e.g., firewalls).
- Managerial: Rules or policies set by authority figures.
- Operational: Day to day processes and practices that support security (training, incident response, audits, etc.).
- Physical: Controls that protect physical access to systems.
Controls:
- Preventative: Controls that prevent incidents from occurring.
- Deterrent: Controls that discourage/deter an attacker.
- Detective: Controls that identify/detect when something goes wrong.
- Corrective: Controls that fix/restore systems after an incident occurs.
- Compensating: Alternate/fallback controls that are used when the primary
- control doesn't work.
- Directive: Controls that provide guidelines/instructions.
A table containing examples of all combinations of categories and types:
| Control Type | Technical | Managerial | Operational | Physical |
|---|---|---|---|---|
| Preventative | Firewall rules, encryption | Security policies, risk analysis | Security training | Locks, fences |
| Deterrent | Login banners, password alerts | Policies with consequences | Security awareness programs | Cameras, guards |
| Detective | IDS/IPS, audit logs | Incident reporting processes | Log reviews, monitoring | Motion detectors, CCTV |
| Corrective | Antivirus quarantine actions | Disaster recovery plans | Incident response procedures | Fire suppression systems |
| Compensating | 2FA when biometrics not viable | Alternate policy enforcement | Manual oversight | Backup generators |
| Directive | Group policy enforcement | Acceptable use policy | SOPs, playbooks | Exit signs, emergency instructions |