Categorizing security controls

Security professionals spend the majority of their time designing, implementing, and managing security controls as countermeasures to the risks they identify during risk assessments. Security controls are procedures and mechanisms that an organization puts in place to address security risks in some way. This might include trying to reduce the likelihood of a risk materializing, minimizing the impact of a risk if it does occur, or detecting security issues that do occur. Now, before we move into the area of cybersecurity, let's think for a moment about the ways that you secure your home. You probably use a number of different security controls. You certainly have locks on your doors and windows that are designed to keep out intruders, minimizing the risk of a burglary. That's just common sense. You might also have a burglar alarm designed to detect intrusions, security cameras to record activity inside your home, automatic light switches that deter a burglar by simulating human activity, and any number of other controls. In fact, even asking your neighbor to bring in your mail as an example of a security control. Some of these controls are designed to achieve the same purpose or, in the language of security professionals, the same control objective. For example, both a burglar alarm and security cameras are designed to detect intruders. We sometimes use more than one control to achieve the same objective because we want to be sure that we remain secure even if one control fails. The burglar manages to open a window without tripping the burglar alarm, they may still be caught on your security cameras. This is known as the defense in depth principle, applying multiple overlapping controls to achieve the same objective. Security professionals use a number of different categories to group similar security controls. We'll talk about two different ways they do this. First, we'll discuss grouping controls by their purpose or type, whether they're designed to prevent, detect, correct, deter, direct, or compensate for security issues. Then we'll discuss them by their mechanism of action, the way that they work. This groups them into the categories of technical, operational, managerial, and physical controls. Preventive controls are designed to stop a security issue from occurring in the first place. A firewall that blocks unwanted network traffic is an example of a preventive control. Detective controls identify potential security breaches that require further investigation. An intrusion detection system that searches for signs of network breaches is an example of a detective control. Corrective controls remediates security issues that have already occurred. If an attacker breaks into a system and wipes out critical information, restoring that information from backup is an example of a corrective control. Deterrent controls seek to prevent an attacker from attempting to violate security policies. Vicious guard dogs and barbed wire fences are examples of deterrent controls. Directive controls inform employees and others what they should do to achieve security objectives. Policies and procedures are examples of directive controls. The final type of security control commonly used is the compensating control. Compensating controls are designed to fill a known gap in a security environment. For example, imagine that a facility has a tall barbed wire fence surrounding it, but it has one gate in the fence with a turnstile that allows authorized individuals access to the facility. One risk with this approach is that someone might simply hop over that turnstile. The organization might place a guard at this gate to monitor individuals entering the facility as a compensating control. The second way that we can categorize controls is by their mechanism of action. This groups controls as technical, operational, managerial, or physical controls. Technical controls are exactly what the name implies, the use of technology to achieve security objectives. Think about all of the components of an IT infrastructure that perform security functions. Firewalls, intrusion prevention systems, encryption, data loss prevention, and antivirus software are all examples of technical security controls. Operational controls include the processes that we put in place to manage technology in a secure manner. These include many of the tasks that security professionals carry out every day, such as user access reviews, log monitoring, background checks, and conducting security awareness training. Now, it's sometimes a little tricky to tell the difference between technical and operational controls. If you get an exam question on this topic, one trick is to remember that operational controls are carried out by people, while technical controls are carried out by technology. For example, a firewall enforcing rules is a technical control, while a system administrator reviewing firewall logs is an operational control. Managerial controls are focused on the mechanics of the risk management process. For example, one common management control is conducting regular risk assessments to identify the threats, vulnerabilities, and risks facing an organization or a specific information system. Other management controls include conducting regular security planning and including security considerations in an organization's change management, service acquisition, and project management methodologies. Physical controls are security controls that impact the physical world. Some examples of physical security controls include fences, perimeter lighting, locks, fire suppression systems, and burglar alarms.