Skip to main content

Security Controls

Security Controls Overview

Security controls can be:

  1. Implemented Via:

    • Administratively
    • Logically/Technically
    • Physically

  2. Types:

    • Preventative
    • Detective
    • Corrective
    • Deterrent
    • Compensating
    • Directive
    • Recovery

  3. Categories:

    • Logical/Technical
    • Physical
    • Administrative

Categories of Controls

image.png

Logical/Technical Controls

  • Mechanisms used to manage access and provide protection for resources and systems.

  • Examples:

    • Encryption, Smart Cards, Passwords
    • Biometrics, ACLs, Protocols
    • Firewalls, IDS, Clipping Levels

information Ensures digital assets are safe and accessible only by authorized entities.

Physical Controls

  • Protection for real-world entities and infrastructures.

  • Examples:

    • Guards, Fences, Motion Detectors
    • Locked Doors, Lights, Camera, Alarms
    • Swipe Cards, Mantraps, Laptop Locks

warning Safeguards tangible assets and environments.

Administrative Controls

  • Implement and enforce access control via policies and procedures.

  • Examples:

    • Hiring Practices, Security Training
    • Background Checks, Data Classification
    • Work Supervision, Personnel Controls

success Aims to instill good security behaviors and practices.

Types of Security Controls

Control Type Description Example
Preventative Deployed to stop unwanted or unauthorized activity. Fences, locks, alarms, data classification, penetration testing
Detective Deployed to discover unwanted or unauthorized activity. Security guards, motion detectors, audit trails, IDS, violation reports
Corrective Deployed to restore systems to normal after a security incident. Intrusion detection systems, antivirus, mantraps, security policies
Compensating Provide alternative options to other controls to enforce security policy. DROP (with an alternative office location)
Directive Control actions of subjects to force compliance with security policies. Security guards, security policy, monitoring, work task procedures, awareness training
Recovery Repair or restore resources and capabilities after a security policy violation. Backups and restores, server clustering, antivirus, database shadowing
Deterrent Discourage the violation of security policies. Locks, fences, security badges, guards, intrusion alarms, separation of duties, firewalls

 

Back to top