Skip to main content

Security Controls

Control Categories and Types

Information security and cybersecurity assurance are met by implementing security controls. By identifying basic security control types, you will be better prepared to select and implement the most appropriate controls for a given scenario. You should also be able to describe how specific job roles and organizational structures can implement a comprehensive security program for organizations.

Security Control Categories

Information and cybersecurity assurance usually takes place within an overall process of business risk management. Implementation of cybersecurity functions is often the responsibility of the IT department. There are many ways of thinking about how IT services should be governed to fulfill overall business needs. Some organizations have developed IT service frameworks to provide best practice guides for implementing IT and cybersecurity. These frameworks can shape company policies and provide checklists of procedures, activities, and technologies that represent best practices. Collectively, these procedures, activities, and tools can be referred to as security controls.

A security control is designed to give a system or data asset the properties of confidentiality, integrity, availability, and non-repudiation. Controls can be divided into four broad categories based on the way the control is implemented:

  • Managerial — the control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.
  • Operational — the control is implemented primarily by people. For example, security guards and training programs are operational controls.
  • Technical — the control is implemented as a system (hardware, software, or firmware). For example, firewalls, antivirus software, and OS access control models are technical controls.
  • Physical — controls such as alarms, gateways, locks, lighting, and security cameras that deter and detect access to premises and hardware are often placed in a separate category from technical controls.

Although it uses a different scheme, be aware of how the National Institute of Standards and Technology (NIST) classifies security controls ( csrc.nist.gov/publications/detail/sp/800-53/rev-5/final ).

For example, as of NIST 800-53 rev 4, the class designations of technical, operational, and managerial were removed from the control families list. Instead, they were redefined as properties of individual controls within a family. They are included to help familiarize learners with the basic concepts presented in 800-53 and due to the continued use of this terminology by many organizations and publications. Be aware that terminology usage and practice are always evolving.

Security Control Functional Types

As well as a category, a security control can be defined according to the goal or function it performs:

  • Preventive — the control acts to eliminate or reduce the likelihood that an attack can succeed. A preventive control operates before an attack can take place. Access control lists (ACLs) configured on firewalls and file system objects are preventive-type technical controls. Antimalware software acts as a preventive control by blocking malicious processes from executing.
  • Detective — the control may not prevent or deter access, but will identify and record an attempted or successful intrusion. A detective control operates during an attack. Logs provide one of the best examples of detective-type controls.
  • Corrective — the control eliminates or reduces the impact of a security policy violation. A corrective control is used after an attack. A good example is a backup system that restores data damaged during an intrusion. Another example is a patch management system that eliminates the vulnerability exploited during the attack.

While most controls can be classed functionally as preventive, detective, or corrective, a few other types can be used to define other cases:

  • Directive — the control enforces a rule of behavior, such as a policy, best practice standard, or standard operating procedure (SOP). For example, an employee's contract will set out disciplinary procedures or causes for dismissal if they do not comply with policies and procedures. Training and awareness programs can also be considered as directive controls.
  • Deterrent — the control may not physically or logically prevent access, but it psychologically discourages an attacker from attempting an intrusion. This could include signs and warnings of legal penalties against trespass or intrusion.
  • Compensating — the control is a substitute for a principal control, as recommended by a security standard. It affords the same (or better) level of protection but uses a different methodology or technology.

A security policy is a formalized statement that defines how security will be implemented within an organization. It describes the means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources.

The implementation of a security policy to support the goals of the CIA triad might be very different for a school, a multinational accountancy firm, or a machine tool manufacturer. However, each of these organizations, or any other organization (in any sector of the economy, whether profit-making or non-profit-making), should have the same interest in ensuring that its employees, equipment, and data are secure against attack or damage. An organization that develops security policies and uses framework-based security controls has a strong security posture.

As part of the process of adopting an effective organizational security posture, employees must be aware of their responsibilities. The structure of security responsibilities will depend on the size and hierarchy of an organization, but these roles are typical.

  • Overall responsibility for the IT function lies with a Chief Information Officer (CIO). This role might also have direct responsibility for security. Some organizations will also appoint a Chief Technology Officer (CTO), with more specific responsibility for ensuring the effective use of new and emerging IT products and solutions to achieve business goals.
  • In larger organizations, internal responsibility for security might be allocated to a dedicated department run by a Chief Security Officer (CSO) or Chief Information Security Officer (CISO).
  • Managers may have responsibility for a domain, such as building control, web services, or accounting.
  • Technical and specialist staff have responsibility for implementing, maintaining, and monitoring the policy. Security might be made of a core competency of systems and network administrators, or there may be dedicated security administrators. One such job title is Information Systems Security Officer (ISSO).
  • Nontechnical staff have the responsibility of complying with policy and with any relevant legislation.
  • External responsibility for security (due care or liability) lies mainly with directors or owners, though again, it is important to note that all employees share some measure of responsibility.

NIST's National Initiative for Cybersecurity Education (NICE) categorizes job tasks and job roles within the cybersecurity industry ( gov/itl/applied-cybersecurity/nice/nice-framework-resource-center ).