What are controls?
In the context of information security management, control is any administrative, managerial, technical, or legal method that is used to modify or manage information security risk.
In information security, there are three main types of security controls:
- Preventive controls
- Detective controls
- Corrective controls
Preventive controls:
Preventive controls are security measures that are designed to prevent security incidents from occurring in the first place. These measures are implemented to reduce the risk of a security breach or attack and are typically proactive in nature.
Examples of preventive controls include:
- Antivirus software: This is a type of software that is designed to detect and remove malware from a computer or network.
- Firewalls: This is a type of security system that is designed to block unauthorized access to a network or system.
- Access controls: This is a security measure that is designed to restrict access to a system or resource to only those who are authorized to use it. This can include the use of user accounts and permissions, as well as the use of physical or technical barriers to prevent unauthorized access.
- Patch management: This is the process of identifying and installing software updates or patches in order to fix vulnerabilities and improve the security of a system.
- Security awareness training: This is the process of educating employees about security best practices and policies, in order to help them understand the importance of protecting sensitive information and prevent security incidents.
- Data backup and recovery: This is the process of regularly backing up data in order to be able to recover it in the event of a disaster or security incident.
Detective controls:
Detective controls are security measures that are designed to detect when a security incident has occurred, so that appropriate action can be taken. These measures are typically reactive in nature and are used to identify and respond to security breaches or attacks after they have happened.
Examples of detective controls include:
- Log monitoring: This is the process of regularly reviewing system logs or event logs in order to identify any unusual or suspicious activity that may indicate a security incident.
- Intrusion detection systems (IDS): These are systems that are designed to detect and alert administrators when an unauthorized person or device attempts to access a network or system.
- Security audits: This is the process of reviewing and evaluating a system or network's security to identify any vulnerabilities or weaknesses that may need to be addressed.
- Vulnerability scans: This is the process of scanning a system or network to identify any vulnerabilities that attackers may exploit.
- Penetration testing: This is the process of simulating an attack on a system or network in order to identify vulnerabilities and assess the security of the system.
- Security incident response plans: These are plans that outline the steps that should be taken in the event of a security incident in order to minimize the impact of the incident and ensure that it is properly contained and resolved.
Corrective controls
Corrective controls are security measures that are designed to correct problems or vulnerabilities that have been identified in a system. These measures are typically reactive in nature, and are implemented after a security incident has occurred or after a vulnerability has been identified.
Examples of corrective controls include:
- Patching software: This is the process of installing updates or patches in order to fix vulnerabilities and improve the security of a system.
- Updating system configurations: This is the process of modifying system settings or configurations in order to improve security or fix vulnerabilities.
- Replacing outdated hardware: This is the process of replacing outdated or vulnerable hardware with newer, more secure hardware to improve a system's security.
- Implementing new security controls: This is the process of introducing new security measures, such as new software or hardware, in order to address identified vulnerabilities or improve the overall security of a system.
- Reviewing and updating policies and procedures: This is the process of reviewing and updating security policies and procedures in order to ensure that they are effective and up-to-date.
- Training employees on security best practices: This is the process of educating employees about security best practices and policies in order to help them understand the importance of protecting sensitive information and preventing security incidents.
Other Two Typers of Control:
Deterrent controls
Deterrent controls are security measures that are designed to discourage or deter unwanted or unauthorized activity. These measures are often used in conjunction with other types of security controls, such as preventive, detective, and corrective controls.
Examples of deterrent controls include:
- Visible security: This involves the use of visible security measures, such as guards or security cameras, to deter potential attackers or criminals from attempting to access a facility or system.
- Signage: This involves the use of warning signs or other types of signage to alert potential attackers or criminals that certain areas or activities are off-limits or monitored.
- Lighting: This involves the use of lighting to make an area more visible and deter potential attackers or criminals from attempting to access it.
- Barriers: This involves the use of physical barriers, such as fences or gates, to deter potential attackers or criminals from attempting to access an area.
- Publicity: This involves the use of public awareness campaigns or media coverage to educate the public about the risks of certain types of activity and discourage them from engaging in those activities.
Recovery Controls:
Recovery controls are security measures that are designed to facilitate the recovery of a system or network after a security incident or disaster. These measures are typically reactive in nature and are implemented after an incident has occurred.Examples of recovery controls include:
- Data backup and recovery: This is the process of regularly backing up data in order to be able to recover it in the event of a disaster or security incident.
- Disaster recovery plans: These are plans that outline the steps that should be taken in the event of a disaster or major security incident, in order to minimize the impact of the incident and ensure that the organization is able to recover quickly and effectively.
- Business continuity plans: These are plans that outline the steps that should be taken to ensure that the organization is able to continue operating in the event of a disaster or major security incident.
- Incident response plans: These are plans that outline the steps that should be taken in the event of a security incident, in order to minimize the impact of the incident and ensure that it is properly contained and resolved.
- Testing and drills: This involves regularly testing and practicing the organization's recovery plans and procedures in order to ensure that they are effective and that the organization is prepared to handle a disaster or security incident.
- Redundancy and failover: This involves implementing backup systems or processes that can be used in the event of a failure or outage of primary systems or infrastructure.
There are also several categories of security controls that can be used to protect information systems, including:
