Types of Security Controls

When safeguarding against cyberattacks and data breaches, there are choices from all sorts of information security controls — everything from firewalls to malware detection applications, and much more.

Many standards and frameworks exist that can help secure IT systems properly. The most widely used information security frameworks and standards include:

  • The National Institute of Standards and Technology (NIST) Special Publication 800-53,  Security and Privacy Controls for Federal Information Systems and Organizations 
  • The International Organization for Standardization (ISO) standard ISO 27001,  Information Security Management 
  • The Payment Card Industry Data Security Standard (PCI DSS)
  • The Health Insurance Portability and Accountability Act (HIPAA)
  • The nonprofit Center for Internet Security (CIS) 

In the context of security controls , the six controls can be classified into the following group:

Preventive:
Use a preventive countermeasure to prevent a malicious action from occurring by blocking or stopping someone or something from doing or causing so. Examples for such type of controls are:

  • Firewalls.
  • Intrusion Prevention Systems IPS.
  • Security Guards.
  • Biometric Access Control.
  • Using Encryption.
  • Video Surveillance.
  • Fences.
  • Strong Authentication.
  • Locks.
  • Mantraps.
  • Antivirus Software

Detective: Detective control countermeasures are implemented to help detect any malicious activities. A detective controls doesn’t stop or mitigate intrusion attempts; it only identifies and reports them. Examples of this type are:

  • Intrusion Detection Systems IDS.
  • Alarms.
  • Lights.
  • Motion Detectors.
  • Security Guards.
  • Video Surveillance.
  • Logs and Audit Trails.
  • Enforcing Staff Vacations.

Corrective:
These type of controls attempt to get the system back to normal.
Examples for this type are:

  • Restoring operating system or data from a recent backup.
  • Updating an outdated antivirus.
  • Installing a fix.

Deterrent:
Implements deterrent controls in an attempt to discourage attackers from attacking their systems or premises. In other words, a deterrent countermeasure is used to make an attacker or intruder think twice about his malicious intents.
Deterrent controls include:

  • Fences.
  • Security Guards.
  • Dogs.
  • Lights.
  • Video Surveillance.
  • Alarms.

Recovery:
Recovery countermeasures aim to complement the work of corrective countermeasures. They also try to get the system back to its normal condition before the attack occurred.
Recovery controls include:

  • Disaster Recovery Site.
  • System and Data backups.
  • High Availability.

Compensating:
A compensating control provides an alternate solution to a countermeasure that is either impossible or too expensive to implement. One control may serve in one, two or more functional types. For example, the security guards are considered to be preventive, detective, and deterrent as well.

Information security controls can also be classified into several areas of data protection:

Physical access controls. This includes restrictions on physical access such as security guards at building entrances, locks, close circuit security cameras, and perimeter fences. 

Cyber access controls. These are cybersecurity controls and policies such as up-to-date firewalls, password policies, and software applications that alert you to cybersecurity risks like ransomware attacks and phishing.

Procedural controls. This includes security awareness education, security framework compliance training, and incident response plans and procedures put in place to enhance network security. 

Technical controls. Increasingly common are controls such as multi-factor user authentication at login, and also granting internal access to your IT system on a need-to-know basis. 

Compliance controls. This means adherence to privacy laws and cybersecurity frameworks and standards designed to minimize security risks. These typically require an information security risk assessment, and impose information security requirements. For example, if a company is required to be in compliance with the NIST cybersecurity framework but isn’t, it can face monetary penalties until those compliance controls are put into place. 

How Can IT MINISTER Help You?

IT Minister covers all aspects of Cyber Security including but not limited to Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations, Mobile Device Management, Cloud security best practice & architecture, OSINT and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.