Security controls play an important role in defining the actions that cybersecurity professionals take to protect a company. We can say that there are three main types of IT security controls, including physical, technical and administrative.
The main purpose for implementing security controls can be preventive, detective or corrective. There are other literatures and approaches that also consider controls that act as deterrent and compensatory. In addition, controls are also used to protect people, as is the case with training or social engineering awareness policies.
Lack of security controls puts the confidentiality, integrity, and availability of information at risk. These risks also extend to the security of people and assets within an organization.
In the image below you can see the different types of basic security controls, focusing on their types and their purpose.
Physical Controls:
- Preventive:
- Fences
- Gates
- Locks
- Detective:
- CCTV
- Surveillance Cameras
- Corrective:
- Repair a physical damage
- Re-issue access cards
Technical Controls:
- Preventive:
- Firewall
- IPS
- MFA / 2FA
- Antivirus
- Detective:
- IDS
- Honey pots
- Corrective:
- Vulnerability Patching
- Reboot a system
- Quarantine a virus
Administrative Controls:
- Preventive:
- Hiring & Termination policies
- Separation of duties (or Segregation of duties – SOD)
- Data Classification
- Detective:
- Review access rights
- Audit logs
- Unauthorized changes
- Corrective: