Last time we spoke about the CIA triad. If it is a framework that helps Cybersecurity experts refer to it while doing their job, what about the actual practical application of this knowledge?

That’s where Security Controls come into play. First, people write the control objectives or, in other words, the desired state of the company’s security. Then, security controls are specific activities that help to achieve the desired shape.

Security Control Categories

• Technical controls
  • Firewall rules
  • Encryption
  • Access control lists
• Operational controls
  • User access reviews
  • Log monitoring
• Managerial controls
  • Security planning exercises
  • Best practices
  • Assesments

These three categories are used in tandem—for example, unauthorized access to some data centers:

• An organization implements biometric access (technical category).
• An organization reviews people who go in and out (operational category).
• The risk is periodically assessed (managerial category).

So that’s a summary of Security Controls in an organization. Now let’s talk about Security Control Types.

Security Control Types

CompTIA divides security into types as well. First, we have three categories, and now we have six types.

• Preventive controls
  • In this situation, we stop a security issue before it becomes a problem—for example, a firewall.
• Detective controls
  • Identify security hacks. For example, an intrusion detection system gives us a heads-up about attacks on our systems.
• Corrective controls
  • Remediate security issues. For example, I am having a recent backup and restoring it.
• Deterrent controls
  • Prevent attackers in the first place. Barbed wire and vicious dogs are deterrent measures.
• Physical controls
  • It has an impact on the natural world—for example, locks and fences.
• Compensating controls
  • Are designed to mitigate the risk associated with exceptions made to the security policy. For example, sometimes, you have a specific program that needs to be run by an outdated OS system. You can’t do anything about it, but you design your network so that the machine is not easily accessible.