What are security controls and what are the difference types of security controls?
Security controls are safeguards or countermeasures typically prescribed for an information and information systems of an organization established to protect the confidentiality, integrity and availability (CIA) of its assets and meet its defined security requirements. Moreover, security controls refer to a broad range of controls specifically designed to help organizations protect their data and IT infrastructure, and further prevent cyberattacks from different internal and external security threats.
Security controls are safeguards that companies and individuals mainly use to avoid, detect, prevent, recover from or at least minimize security risks to their valuable assets. Moreover, security controls ensure that only authorized entities are allowed to access resources and unauthorized users are denied from gaining access to valuable assets. In addition, it mitigates and prevents a wide variety of information security risks such as malware, ransomware, phishing, social engineering, data loss, data breach, and DDoS/DoS attacks.
There are three major categories of security controls that cybersecurity professionals should be familiar with, namely technical controls, administrative controls and physical controls. In order to protect and secure organizational assets from cyberattacks or security incidents, security folks should deeply understand each types of these security controls.
- Administrative Controls: these security controls are policies and procedures that organizations define to protect their valuable assets based on security policies and regulatory requirements. Examples include: policies, data classification and labeling mechanisms, procedures, hiring and terminating practices, backup policies, background checks, security awareness and training programs, review, reports, work supervision, testing, personnel security controls. These categories of security controls are sometimes called management controls.
- Technical Controls: these technical security controls involve the hardware or software technologies used to manage access and protect organizational IT resources and systems. Examples include: encryption, access control lists (ACL), intrusion detection systems/ intrusion prevention systems (IDS/IPS), firewalls, routers, security information and event management (SIEM) and related technologies.
- Physical Controls: security controls concerned with providing protection to the facility and physical objects of the organization. Examples include: perimeter fencing, access control cards such as guards, guard dogs, locks, lights, smartcard and tokens, video surveillance systems (VSS), intrusion detection sensors, swipe cards, biometric access controls, and alarms. These security control types are sometimes referred to as operational controls.
Organizations could apply the following major granular security controls besides to the three security control categories described earlier:
- Preventative: security control deployed to stop unauthorized activity from happening to information and information systems. Examples include: firewalls, encryption, access controls, etc.
- Detective: security control deployed to discover and identify malicious activities just after the fact of occurring. Examples include: CCTV, IDS, job rotation, audit trails, etc.
- Deterrent: security control that discourages intruders from violating security policies. Example include: policies, security awareness training, locks fences, guards, etc.
- Corrective: security control that enhances the environment to return systems and services to normal situation after unauthorized activity has happened. Examples include: Backup and restore systems, intrusion prevention systems (IPS), virus removal, etc.
- Recovery: security controls that try to restore resources, services and functionalities after a security policy violation occurs. Example include: backup and restore systems, server clustering, antimalware systems, database shadowing, imaging and snapshotting, etc.
- Directive: security control established to direct and control the actions of entities to enforce compliance with security policies. Examples include: Acceptable use policy (AUP), notifications, exit signs, etc.
- Compensating: security control established to deliver different alternatives to existing security controls to support in security policies enforcement endeavors. Example include: disaster recovery plan (DRP) for failed fire prevention and suppression systems, backup systems for deleted files, etc.