Comparing Security Controls
Technical Controls
Technical control mechanisms are implemented using hardware, software, and/or firmware
components. These controls can be native to the system or supplemental to existing controls. They are
designed to protect the integrity, confidentiality, and availability of information systems.
Examples:
• Firewalls: A firewall can be a hardware device or software application that monitors and
controls incoming and outgoing network traffic based on predetermined security rules. It acts as
a barrier between trusted and untrusted networks, filtering traffic to prevent unauthorized
access.
• Cryptography: Cryptography involves the use of algorithms to encrypt data, ensuring that it
remains confidential and secure during transmission or storage. Examples include SSL/TLS for
secure web browsing, and AES for data encryption.
• Authentication Systems: These systems verify the identity of users before granting access to
resources. Examples include password-based systems, biometric systems (fingerprint or facial
recognition), and two-factor authentication (2FA).
Managerial Controls
Managerial controls are related to the governance, oversight, strategic alignment, and decision-making
processes within an organization. They are essential for risk management and ensuring that security
policies and procedures are effectively implemented and maintained.
Examples:
• Risk Assessments: This involves identifying, evaluating, and prioritizing risks to an
organization's assets and operations. The goal is to understand the potential impact of different
threats and determine the best ways to mitigate them.
• Project Management: Effective project management ensures that security projects are planned,
executed, and monitored properly. This includes setting objectives, managing resources, and
ensuring that security requirements are met.
Operational Controls
Operational controls are aligned with processes that are primarily implemented and executed by people.
These controls ensure that day-to-day operations follow security policies and procedures.
�Examples:
• Change Configuration Management: This involves tracking and managing changes to IT
systems to ensure that they do not negatively impact security. It includes documenting changes,
assessing their impact, and obtaining approval before implementation.
• Training: Regular security training and awareness programs help employees understand
security policies, recognize threats, and respond appropriately.
• Testing: Regular testing of security systems and procedures, such as penetration testing and
vulnerability assessments, helps identify and address weaknesses.
Physical Controls
Physical controls are designed to address physical interactions, generally related to buildings and
equipment. They protect physical assets from unauthorized access, damage, or theft.
Examples:
• Gates, Barricades, Locks: These physical barriers prevent unauthorized access to sensitive
areas. For example, gates and barricades can control access to a facility, while locks can secure
individual rooms or devices.
• Security Guards: Human security personnel can monitor and control access to a facility,
respond to incidents, and enforce security policies.
Deterrent Controls
Deterrent controls are designed to discourage threat agents from taking undesirable actions. By making
it clear that there are consequences for malicious behavior, deterrent controls reduce the likelihood of
an attack.
Examples:
• Warning Signs: Signs indicating that an area is under surveillance or that trespassing is
prohibited can deter unauthorized access.
• Policies and Procedures: Clearly communicated policies, such as acceptable use policies, can
deter employees from engaging in risky behavior.
Preventative Controls
Preventative controls stop a threat agent from being successful in their malicious activities. These
controls are proactive measures designed to prevent security incidents before they occur.
Examples:
• Access Controls: Mechanisms such as user authentication and authorization prevent
unauthorized individuals from accessing sensitive information or systems.
� • Encryption: Encrypting data ensures that even if it is intercepted, it cannot be read without the
proper decryption key.
Diagram
Detective Controls
Detective controls identify and report a threat agent or action, allowing an organization to respond to
security incidents promptly. These controls provide visibility into security events and help detect
potential issues.
Examples:
• Intrusion Detection Systems (IDS): IDS monitor network traffic for suspicious activity and
generate alerts when potential threats are detected.
• Log Analysis: Regularly reviewing logs from various systems (e.g., firewalls, servers) helps
identify unusual patterns or activities that may indicate a security incident.
Corrective Controls
Corrective controls minimize the impact of a threat agent or modify or fix a situation after a security
incident has occurred. These controls aim to restore normal operations and prevent future incidents.
Examples:
� • Backup and Restore Procedures: Regular backups ensure that data can be recovered in case
of a loss or corruption. Restore procedures help return systems to their normal state.
• Patch Management: Applying patches to fix known vulnerabilities in software reduces the risk
of exploitation.
Compensating Controls
Compensating controls are implemented in lieu of a recommended control that provides equivalent or
comparable protection. These controls can be used when the recommended control is not feasible or
does not provide sufficient protection.
Examples:
• Temporary Firewalls: In the case of a zero-day vulnerability, a temporary firewall rule might
be implemented to block traffic until a proper patch is available.
• Additional Monitoring: If a primary control is not effective, additional monitoring might be
implemented to detect and respond to potential threats.
�Directive Controls
Directive controls are proactive actions taken to cause or encourage a desirable event or outcome to
occur. They are broad in nature and often used to increase the effectiveness of other controls.
Examples:
• Frameworks and Models: Security frameworks like NIST or ISO provide guidelines and best
practices for implementing comprehensive security programs.
• Policies and Guidance Statements: Security policies, procedures, and guidance documents
help ensure that everyone in the organization understands their roles and responsibilities related
to security.
�Security in Action
To illustrate how these controls work together in practice, consider the following scenarios:
• Physical Security: A server room might be secured with locks on the doors (preventative),
monitored by motion sensor alarms (detective), and patrolled by security guards (deterrent).
• Technical Security: Network security can be enhanced with firewalls that filter incoming and
outgoing traffic (preventative), logging mechanisms that track network activity (detective), and
regular updates to firewall rules and antivirus definitions (corrective).
• Managerial Security: An organization might conduct annual web application audits to identify
vulnerabilities (detective) and implement project management practices to ensure that security
projects are completed on time and within budget (managerial).
• Operational Security: Regular updates and patches to software systems (corrective), employee
training on security best practices (operational), and change configuration management to
control and document system changes (operational).
By understanding and implementing these various types of controls, organizations can build a robust
security posture that protects against a wide range of threats.
