Large concepts within information security are understanding what protections/controls we should have in place and then the actual processes of implementing those controls. The reason we have security controls can point back to the concept of the CIA Triad. To keep our organizations safe and healthy from an information security perspective, we should ensure that our data and systems are kept confidential, have integrity, and are available for use. Implementing security controls can help us align with the principles of the CIA Triad. That being stated, it might be easy to think that since we are dealing with information security, that we are only concerned technical controls and protections such as firewalls and anti-malware solutions. While those and others like them are important, that is not all there is when it comes to categories of security controls. The three main security control categories are technical (logical), operational (physical), and managerial (administrative). Let’s delve into these to get a better understanding.
Technical controls (also known as logical controls) are those that I mentioned in the first paragraph. These are the security controls that are implemented as hardware or software IT systems. Examples of technical security controls are firewalls, anti-malware solutions, web filtering, multi factor authentication (MFA), and email security products.
While technical controls are implemented as hardware and/or software solutions, operational controls (also known as physical controls) are implemented by people. Examples of operational controls are security guards, door locks, motion sensor activated lighting, and ongoing training.
As with many things, in order for a system or process to remain effective, we need ways to audit it over time. That is where managerial controls (also known as adminitrative controls) come into the picture. Managerial controls give oversight of, or auditing platforms for information systems and processes. Examples of managerial controls include security policies, ongoing testing such as test phishing campaigns, change control processes, and of course, auditing processes.
There are many ways for us to protect the information security of our organizations. Not just technical controls are in scope. There are also operational and managerial controls that can be put in place to help ensure confidentiality, integrity, and availability.
Featured image credit – George Becker
One thought on “Security+ Journey – Control Categories”