Security Controls

Security controls are implemented to reduce the risks an organization faces.

They are essential for protecting the confidentiality, integrity, and availability (CIA) of organizational assets.

Controls can be categorized based on how they are implemented and also based on the function or goal they serve.

Categories of Security Controls

Security controls are broadly divided into three categories based on their implementation.

Administrative Controls

Administrative controls focus on management, personnel, and business practices. They are defined through policies, procedures, and organizational guidelines.

Examples include:

  • Security policies and documentation
  • Risk management processes
  • Personnel security measures
  • Security awareness and training

Technical Controls

Technical controls, also known as logical controls, are implemented through technology such as hardware, software, or firmware.

Examples include:

  • Firewalls
  • Intrusion Prevention Systems (IPS)
  • Antivirus software
  • Encryption mechanisms

Physical Controls

Physical controls are designed to protect physical resources, facilities, and personnel.

Examples include:

  • Security guards
  • CCTV systems
  • Locks and doors
  • Fencing and lighting

Functional Types of Security Controls

Security controls can also be classified based on their purpose or function.

Preventive Controls

Preventive controls are designed to stop incidents before they occur. They reduce the likelihood of a successful attack.

Examples include:

  • Locks and physical barriers
  • Data Loss Prevention (DLP) systems
  • Intrusion Prevention Systems (IPS)

Detective Controls

Detective controls are used to identify and detect unauthorized or unwanted activities.

Examples include:

  • Security guards
  • Log monitoring
  • Intrusion Detection Systems (IDS)
  • SIEM monitoring by security teams

Deterrent Controls

Deterrent controls aim to discourage potential attackers by increasing perceived risk.

Examples include:

  • Warning signs
  • Policies and procedures
  • Non-disclosure agreements (NDAs)
  • Legal consequences

Corrective Controls

Corrective controls are used to fix issues after a security incident has occurred and to prevent recurrence.

Examples include:

  • Applying patches to fix vulnerabilities
  • Using fire extinguishers to stop fire incidents

Recovery Controls

Recovery controls help restore systems and operations after an incident.

Examples include:

  • Backup systems
  • Disaster recovery plans

Compensating Controls

Compensating controls are alternative measures used when the original control is not feasible or practical to implement. They provide a similar level of protection.

Example scenario:

  • A single employee handles both cash collection and recording transactions (lack of separation of duties)
  • A compensating control is introduced where another employee performs reconciliation to detect discrepancies

Requirements for Compensating Controls

According to PCI standards, compensating controls must:

  • Meet the intent of the original requirement
  • Provide a similar level of security
  • Go beyond other existing controls
  • Address the additional risk created by not implementing the original control

Security Control Selection and Usage

The selection of security controls depends on several important factors, including the nature of the business, the complexity of the environment, and the value of the assets being protected. A security control must make good business sense, meaning it should be cost-effective. In other words, the benefit provided by the control must outweigh its cost.

A security control can be viewed as a combination of its category and the functionality it provides. For example, a firewall is a technical control that provides preventive functionality. Similarly, security policies are administrative controls that act as deterrent controls.

As a security practitioner, it is essential to use a combination of different types of controls to ensure adequate protection of valuable assets. Relying heavily on one type of control while neglecting others can create vulnerabilities. For instance, having strong technical controls but weak physical controls may allow an intruder to gain physical access to systems, resulting in significant risk to the organization.

All security controls must work together in harmony to create a secure, safe, and productive environment.

PreventiveDetectiveDeterrentCorrectiveRecovery
AdministrativeSeparation of dutiesPeriodic access reviewsSecurity policies and proceduresEmployee discipline actionsDisaster recovery plan
TechnicalFirewallIDSAcceptable use bannersVulnerability patchesData backup
PhysicalWalls, fences, gatesCCTVWarning signsFire suppression systemsDisaster recovery site

Key Points

  • Security controls must be selected based on:
  • Business requirements
  • Environmental complexity
  • Asset value
  • Controls must be cost-effective:
  • Benefits should outweigh costs
  • A control is defined by:
  • Its category (administrative, technical, physical)
  • Its functionality (preventive, detective, etc.)
  • Multiple controls should be combined to ensure proper protection
  • Weakness in one control area can compromise the entire system

Multiple Functions of a Single Control

A single security control can serve multiple functions depending on how it is implemented and used.

For example, surveillance cameras can act as:

  • Deterrent control:
  • Discourage attackers from performing unauthorized actions
  • Detective control:
  • Security personnel monitor camera feeds
  • Motion detection triggers alerts
  • Compensating control:
  • Provides additional monitoring where other controls are limited

md 
                +------------------------+
                |   Security Control    |
                +-----------+------------+
                            |
        +-------------------+-------------------+
        |                                       |
        v                                       v
+---------------------+              +----------------------+
|     Category        |              |     Function         |
|---------------------|              |----------------------|
| Administrative      |              | Preventive           |
| Technical           |              | Detective            |
| Physical            |              | Deterrent            |
+---------------------+              | Corrective           |
                                     | Recovery             |
                                     | Compensating         |
                                     +----------------------+

                            |
                            v
                 +----------------------+
                 |   Combined Control   |
                 | (Layered Security)   |
                 +----------+-----------+
                            |
                            v
                 +----------------------+
                 |  Effective Security  |
                 +----------------------+