Physical Security Control Types – CompTIA Security+ SY0-401: 2.7

There are a number of different control categorizations for physical security. In this video, you’ll learn about deterrent, preventive, detective, and compensating control types.

<< Previous Video: Physical SecurityNext: Business Impact Analysis >>


When dealing with physical security there are different control types that we can categorize these methods into. One is the technical control type. And as technologists, this is one we’re certainly familiar with, where we are using systems within our organization to manage this security. It might be controls and rights and permissions that are within operating systems, or it might be things like hardware devices like firewalls and intrusion prevention systems that are all based around technology.

There are, of course, also administrative control types as well. These are policies that help control how people act. So if you’re going to set up security policies, formal policies, that you might have in a book or an online resource. Or maybe you have standard operating procedures, so that people know how to handle a visitor that comes into the organization.

What do you do when somebody is brought on board as a new employee? And what do you do when somebody leaves the organization? Those are all wrapped around the administrative side of those control policies.

When we’re talking about physical security, there are a number of different control types that might apply to different kinds of physical security. One is a deterrent. A deterrent doesn’t necessarily keep anyone out of a particular area or prevent access to a particular area. But it does discourage them from going into a room or gaining access to a particular area.

Maybe this is something like a warning sign that tells someone that they probably should not be gaining access. Or this particular area is for authorized personnel only. There may not be a lock on the door, but it may make people think twice before entering a particular area.

Another physical security control is the preventive control type. In this case, we are going to prevent somebody gaining access to a room. In this case, we might have a door lock that’s always going to be locked. You only gain access to the room if you happen to have the key. Or maybe it’s something like a security guard is going to check a list and only going to allow the correct people to enter that particular area.

Another physical control type is the detective control type. We are detecting access to a particular area of the organization. This probably is not going to prevent any type of access to the area, but it does give us information about what’s going on.

We might have, for instance, a motion detector. And that motion detector’s going to cause a camera to turn on and record anything that might be happening in that area. Later on. if we want to do some investigation and find out what happened in that area, we can go to our detective control types to determine what did get detected during that particular time frame. And maybe we’ll have motion logs or some actual video footage that we can then compare to those particular time stamps.

And the last physical control type that we will talk about is the compensating control type. In this case, we are hedging our bets. We’re putting together a plan B so that if something does happen, we have a way to work around that particular problem.

For example, you might be able to have a file server attacked, but we might then restore that file server to a completely different piece of iron using backup tapes. The original server wasn’t repaired, we instead worked around and compensated for that by building a completely separate server.

Or you might have a power system back up. If somebody does manage to power down your building, you would simply turn on your generator and your building is back and running again. You didn’t repair that original problem, you compensated for that problem by having a completely different physical control type to be able to keep and maintain the availability and uptime of your organization.