Security controls are put in place ultimately to mitigate and minimize risk for an organization. As covered in a previous post, there are three main categories of security contols. To recap, these categories are technical (logical), operational (physical), and managerial (administrative). While these categories give us an idea of the high level characteristics of the different groupings of security controls, in this post we will take it a step further and highlight the different functional types of security controls. I interpret the functional control types as describing what role the control is serving and how it is being implemented. There are three main functional control types and three of what I call “sub-types”. As listed below, the first three are the main types.
A preventive control is put in place to do just what the name implies; to prevent an attack from occuring or a vulnerability from being exploited. From a sequence/time perspective, a preventive control is active before a successful attack can occur. Examples of preventive controls, listed alongside their corresponding control categories are access control lists (technical), next generation firewalls (technical), standard operating procedures (managerial), and security guards (operational).
Detective security controls identify and track events as they happen. Detective controls get the most use during an event. Events are tracked through logging and can be alerted upon as well. Examples of detective controls, listed alongside their corresponding control categories are logs (technical), motion sensors (operational), and intrustion detection systems (technical).
Corrective security controls are put in place to mitigate or minimize the impact of a security event. Examples of technical, corrective security controls are backup systems, patch management systems, and anti-malware software.
The purpose of physical security controls are to protect again in-person attacks and malicious attempts at access. Examples of physical controls are doors/locks, alarms, lights, and phyical security (guards).
Deterring security controls discourage individuals from doing something that is unauthorized. Typical detterent controls include signage, lights, and fencing.
A compensating control can be thought of as a backup or secondary control. This would be something that replicates a primary control in case of failure of the primary control, or something that provides added protection if the primary control does not fully meet the requirements. An example of a compensating control would be a configuration or system backup. If a system becomes corrupted or wiped, it can be restored from the backup, if one exists.
Security controls help us to mitigate and minimize risks. As listed above, there are different functional types of controls that can help us to understand the purpose of the controls and which may be needed to support the security policy and posture of the company.