IT security controls play a foundational role in shaping the efforts security professionals take to protect an organization. Security Controls are protecting things that are of utmost importance to an organization. That generally includes property, people, and data also known as assets of the organization.

They are functional in reducing and mitigating risks to those assets. These controls include policy, procedure, process, action, plan, solution, or device designed and implemented to accomplish a goal.

They are broadly classified into 3 types –

Physical Controls are anything tangible used to detect or prevent unauthorized access to physical areas, systems, or assets. These controls encompass things like fencing, locks, guards, access control cards, biometric access control systems, surveillance cameras, and intrusion detection sensors.

Technical Controls are logical controls such as software or hardware mechanisms functional in protecting assets. Some examples of technical controls are authentication solutions, firewalls, antivirus software, encryption measures, etc.

Administrative Controls refer to policies, procedures, or guidelines that describe personnel or business practices in line with the organization’s security goals. Some examples of administrative controls are policies and procedures for– employee hiring and termination, Physical access to facilities, segregation of duties, etc.

Security controls necessarily fall under one of the functions of the following controls

Preventive Controls describe any security measures taken that are designed to prevent unwanted or unauthorized activity from occurring. Examples of preventive controls are physical controls like locks, alarm systems, and fencing; technical controls like antivirus software, firewalls; administrative controls like segregation of duties, data classification.

Detective Controls describe security measures implemented to detect and alert unwanted or unauthorized activity in progress or after it has occurred. Examples of detective controls are door alarms, fire alarms, Honeypots, and IDSs.

Corrective Controls describe any measures taken to repair the damage or restore resources to their prior state an unwanted or unauthorized activity. Examples of corrective controls are patching a system, terminating a system, Incident response plan.

 Control Functions
 PreventiveDetectiveCorrective
Control TypesPhysicalParameter fencing, Gates,

Locks

CCTV and Surveillance Camera logsRepair Physical damage, reissue access cards
TechnicalIPS, MFA, Firewalls, and AntivirusIDS, HoneypotsPatch a system, terminate a process
AdministrativeHiring and termination policies, segregation of dutiesReview access rights, audit logs, and unauthorized changesImplementing Incident Response and BCP plans

 Diagram: Control types across different control functions with their examples

These are not chosen or implemented arbitrarily. While choosing security controls for an organization, the security professionals should take into consideration—the risk management process of the organizations, the strategies and of an organization w.r.t IT security, Industry of the organization, Applicable laws/ regulations.

Security professionals while implementing security controls generally opt for a combinational approach, where two or more types of controls are implemented simultaneously. These controls are tailored to the strategies and compliance goals of the organization. The ultimate goal of these security controls is to uphold the three basic foundational principles of security—Confidentiality, Integrity, and Availability.

 

Author,

Sobiya Munshi,

Audit and Compliance Team,

Varutra Consulting Pvt. Ltd.