Understanding Security Controls

If you’ve spent any amount of time in IT security, you know there are many different security risks that you need to prepare for. The attackers are looking for different ways to gain access to our systems. And we need to find different ways to prevent them from getting that access. But of course, we’re not just protecting data. We’re also protecting physical systems, buildings, people, and everything in our organization.

In this video, we’ll look at different security controls and how they can be used to prevent events from occurring in the first place. We can minimize the impact of events that ultimately do occur. And in many cases, we can limit the damage if someone does find a way into our computing environment.

Broad Categories of Security Controls

Technical Controls

These are controls that we implement using some type of technical system. Examples include:

  • Policies and procedures within operating systems
  • Firewalls
  • Antivirus software

Managerial Controls

These involve creating policies and procedures for managing systems, such as:

  • Security policy documentation
  • Standard operating procedures

Operational Controls

These controls rely on people to manage security. Examples include:

  • Security guards
  • Awareness programs

Physical Controls

These controls limit physical access to buildings, rooms, or devices. Examples include:

  • Guard shacks
  • Fences and locks
  • Badge readers

Control Types

Preventive Controls

These limit access to resources. Examples include:

  • Firewall rules
  • Guard shack identification checks
  • Door locks

Deterrent Controls

These discourage attacks. Examples include:

  • Splash screens
  • Threats of demotion or dismissal
  • Warning signs

Detective Controls

These identify and warn about breaches. Examples include:

  • System log reviews
  • Login report reviews
  • Motion detectors

Corrective Controls

These address incidents after they occur. Examples include:

  • Backup recovery
  • Policy updates
  • Contacting authorities
  • Using fire extinguishers

Compensating Controls

These are temporary solutions when a security event cannot be reversed. Examples include:

  • Firewall rules for unpatched vulnerabilities
  • Separation of duties
  • Multiple security staff
  • Power generators

Directive Controls

These direct users to follow secure practices. Examples include:

  • File storage policies
  • Compliance training
  • Security signage

Summary

Examples of security controls and their categories are numerous, and their implementation varies by organization. As technology evolves, new control types and implementations may arise. The key is to understand the broad categories and apply them effectively within your environment.