We rely on security controls to monitor, alert, and recover from attacks. In this video, you’ll learn about the categories of common security controls.
If you’ve spent any amount of time in IT security, you know there are many different security risks that you need to prepare for. The attackers are looking for different ways to gain access to our systems. And we need to find different ways to prevent them from getting that access. But of course, we’re not just protecting data. We’re also protecting physical systems, buildings, people, and everything in our organization.
In this video, we’ll look at different security controls and how they can be used to prevent events from occurring in the first place. We can minimize the impact of events that ultimately do occur. And in many cases, we can limit the damage if someone does find a way into our computing environment.
Let’s look at some very broad categories of security controls. The first category we’ll look at are technical controls. These are controls that we implement using some type of technical system. So if you’re someone who is managing an operating system, you might set up policies and procedures within the operating system that would allow or disallow different functions from occurring.
We can also put firewalls, antivirus, and other types of software into this category of technical controls. As a security administrator, you’ll also want to create a series of policies that explain to people the best way to manage their computers, their data, or their other systems. We refer to these as managerial controls.
So if you are creating a series of policies and procedures or you’re creating an official security policy documentation, you’ll often put these managerial controls inside of your security policies. You might also see these managerial controls implemented into day-to-day processes as part of your standard operating procedures.
Another important control category are the operational controls. Unlike using technology to manage these controls, operational controls are using people to be able to set these controls. So if you have security guards at your place of work, you’re doing monthly lunch and learns, or you have some type of posters or awareness program at work to help explain the best practices for IT security, then you can put these into the category of operational controls.
And the last category that we have are physical controls. As the name implies, these are controls that would limit someone’s physical access to a building, a room, or a device. This might be something like a guard shack. So they can check everyone coming into a particular area. Maybe there are fences and locks to keep people out. Or maybe use badge readers to limit the access into certain areas within your building.
So in this video, we’ll focus on these four categories of controls– the technical, managerial, operational, and physical. And in this video, we’ll look at a number of different control types and determine where we would fit certain control types into certain categories.
The first control type we’ll look at is a preventive control type. This is a control type that limits someone access to a particular resource. You can think of this as something like a firewall rule, which would prevent somebody from gaining access to a particular area of your network. Or it may be something that’s more tangible, such as a guard shack checking everyone’s identification as they come into your facility.
A good way to test yourself with these different control types is to determine what category will a certain type fit into. So when we deal with preventive control types, we can look at firewall rules. And since those are handled at a technical level, then those would fit into the technical category.
As we hire people, we may want to set a certain type of policy for onboarding. And those would be policies set as part of a managerial category. We’ve already mentioned a guard shack checking everyone’s identification. And since that’s done by a person, we can fit that into an operational category. And lastly, we have door locks, which are physical devices preventing access to a room. So that would fit into the physical category.
Another important control type is a deterrent. And although a deterrent may not prevent someone from accessing a resource, it may give them a discouragement or have them think twice about the attack that they’re planning. For example, when you start an application, there may be a splash screen that provides security information and restricts people who are not authorized from gaining access to that system.
Or there might be the threat of a demotion or a dismissal if somebody gains access to data that they should not be accessing. There might also be a front reception desk greeting everyone who walks in or warning signs telling people that if they gain access to this facility that there would be consequences.
These fit perfectly into our four categories. A splash screen is a deterrent that fits into the technical category. A demotion is a managerial category. The reception desk fits into the operational category. And the warning signs are a physical deterrent.
A detective control type can identify and, in some cases, warn us when a particular breach has occurred. This may not prevent access. But it would give us a warning and log information about that particular attack.
An example of a detective control type may be a process of collecting, reviewing, and going through system logs. Or you may be reviewing log-in reports about who’s gained access to your systems. There might be someone patrolling the property, looking for cases where someone might have broken into your facility. And you might have motion detectors so that you’re automatically notified if something is moving in an area where normally there should be no motion.
The system logs that are detailing everything that’s going on in your systems would fit into the technical category. Someone reviewing log-in reports every day or every week would fit into the managerial category. Someone patrolling the property would be an operational category. And then the motion detectors provide us with a physical category.
If there is a notification that someone has breached a system or gained access into a certain area of your business, then you want to apply a corrective security control. A corrective security control is something that occurs after the event has been detected. This is sometimes able to reverse the impact of that particular event. Or you may be able to continue operating with your business with minimal downtime, thanks to these corrective controls.
For example, if a computer has been infected with ransomware and it has encrypted everything on that system and made all of the data inaccessible, you can simply erase everything on that computer and restore it back to a known good system using your backups. You might also want to create policies so that if there are security issues or something unusual that you see happen, then those would be rolled up into an alert or some type of notification.
And if you find that someone has jumped your fence or they’ve tried to get in through a door in your building, you may need to contact law enforcement to be able to correct that particular incident. And if something is caught on fire, you can grab a fire extinguisher and make sure that that fire doesn’t spread any further, thereby correcting that particular event.
And as you might expect, those are four events that certainly fits into the four categories that we have. For example, recovering from a backup would be a technical category. Being able to have policies for reporting issues when they occur would be in the managerial category. Contacting authorities for some type of legal issue would be an operational category. And your fire extinguisher is a physical category.
You might also find yourself in a situation where a security event has occurred, but you don’t have the resources or means to be able to reverse what that particular event has caused. In those cases, you may want to use a compensating control type, which provides you with using other means in a way to control that particular security event. This may be something you use on a temporary basis until you’re able to put together a plan to resolve the overall security incident.
For example, you might have an application that is important for your organization. But the application developer has told you that they’ve identified a significant security vulnerability in that software. Since the application developer is going to provide you with a patch sometime in the future, you may want to set some type of firewall rule today that would prevent somebody from exploiting that particular vulnerability.
Or this might be a case where you can separate different duties between different individuals and limit the scope of any type of security concern. Or you might have multiple security guards all working at the same time to make sure that no single security guard has complete access to everything in your environment. And if you lose power in your building, you might want to have a generator so that while you’re waiting for main power to be restored, you can compensate by turning on your generator.
Those are our four different categories of a compensating control. We have a technical category of blocking that traffic instead of patching the application. There may be a separation of duties for the people that work in your organization. And that fits into the managerial category. You might require multiple security staff working simultaneously. And that would be the operational category. And lastly, having a power generator to compensate for a power outage fits into the physical category.
The last control type we’ll look at is a directive control type. This is a relatively weak security control because it is one where you are directing someone to do something more secure rather than less secure. For example, you may require everyone to store sensitive information into a protected and encrypted folder on their system. This requires the user to make a decision about what data may be sensitive and what data may be nonsensitive. And then they are directed to store the sensitive information in the protected folder.
As part of our security policies, we may want to add compliance policies and procedures so that everyone understands the proper processes to use for security in your environment. You might also train users on what the proper security policies might be. And another example of a directive control may be a sign that you put on a door that says “authorized personnel only.” There might not be a lock on the door. But the sign saying “authorized personnel only” directs people to either enter or not enter that particular door.
So to summarize these, our file storage policies will direct people to this technical category. A compliance policy fits into a managerial category. Someone performing a security policy training course would be a directive control type fitting into the operational category. And a sign on a door that says “authorized personnel only” fits into the physical category.
The examples I provided for the different security controls and the categories where they fit are simply one single example. And you can probably think of a number of different examples that you could fit into any of those squares in our matrix. You could probably also think of different security controls that might fit into a different category of control or a different type of control.
You might also find as our technology changes and our security processes evolve that there might be new control types that we could fit into our chart. And of course, not everybody uses the same security controls. So the ones that you use in your organization may be very different than someone else’s organization.