Control Types – CompTIA Security+ SY0-401: 2.1

If you’re planning to build a structured security policy, you’ll find the organization of security controls to be a valuable starting point. In this video, you’ll learn about the NIST standards for the organization of security control types.

<< Previous Video: VPN over Wireless NetworksNext: False Positives and False Negatives >>


A good place to start the conversation about risk, is with the control types. The National Institute of Standards and Technology is a federal organization in the United States that comes up with standards that are used not only for the Federal Government, but also nationally and even worldwide.

They have a set of standards called the “NIST Special Publication 800-53.” And that is a publication called the “Recommended Security Controls for Federal Information Systems.” And although the name says “Federal Information Systems,” there’s some nice information in here that you could almost apply to anybody’s organization.

If you go out to Google you search for “NIST Special Publication 800-53,” you will see this. This is the document itself. It is quite comprehensive, and it’s a very nice overview and a guide to how you can start taking different parts of your organization and the different kinds of risks that you have, and categorizing them, and then setting some standards on how you can deal with risk associated with those different parts of your organization.

Inside of this document are what they call, “Three Classes and 18 Different Families” that are categorized in these three classes. The first class is one called, Technical Control Types. So you can think of this as things like access control– how you authenticate onto the different resources that are on your network or on your computer. How do you protect your systems? How do you protect your communications? All of those technical aspects of control are related in that particular technical class.

The second class is the Management Class. This is a class that talks about how you manage these different aspects of risk in your environment. Things like how you do security assessments, how you provide authorization to different resources in your network or in your environment, how you do planning, how you do risk assessment. Those are extremely important things when you’re dealing with security. Security isn’t just configuring a firewall properly, it’s also setting the proper policies and procedures to follow so that the firewall can be configured properly.

The last class is an Operational Class. What do you do, ongoing with operation, to maintain the security in your environment? What do you do when an incident occurs? What are the proper processes to go through? How do you handle changes in configurations inside of your network? You don’t want to create security issues related to changes, you don’t want people making changes without authorization. How do you protect things physically? Do you lock doors? Do you have key cards? How do you lock down a laptop computer that’s very mobile?

So all of that’s in more of the operational mode of things, and so all three of these classes all work together. You really can’t look at just one of them, you have to take into account your technical controls, your management controls, and the operational controls as well.

Here’s a chart that really does summarize these classes, families, and what they call, identifiers, for each one of these. It would not be a federal document if we didn’t in some way have a list of abbreviations associated with these. For the purposes of the Security Plus Exam, you don’t have to remember all the identifiers, but it’s useful to know these different classes– the technical, the operational, and the management. And have an understanding of why these different families are associated with these classes.

And if you start looking at them, they make a lot of sense. Technical– yep, that’s access control. That’s configuring firewalls and making sure your access control lists are set properly. Operationally, you want to have awareness and training.

So, make sure you’re aware of what some of these different families are in these different classes. Get an understanding of what these control types are, and if you have time, read through the document. It’s really a very nice overview– quite comprehensive, in fact, of all of these different families and classes and how our federal government uses these classes to control and manage their security. You could probably take some of the things they’re doing, and use in your environment as well.