Categories: General

IT Security Controls


IT security controls play a foundational role in shaping the efforts security professionals take to protect an organization. Security Controls are protecting things that are of utmost importance to an organization. That generally includes property, people, and data also known as assets of the organization.

They are functional in reducing and mitigating risks to those assets. These controls include policy, procedure, process, action, plan, solution, or device designed and implemented to accomplish a goal.

 

Types of IT Security Controls

Physical Controls are anything tangible used to detect or prevent unauthorized access to physical areas, systems, or assets. These controls encompass things like fencing, locks, guards, access control cards, biometric access control systems, surveillance cameras, and intrusion detection sensors.

Technical Controls are logical controls such as software or hardware mechanisms functional in protecting assets. Some examples of technical controls are authentication solutions, firewalls, antivirus software, encryption measures, etc.

Administrative Controls refer to policies, procedures, or guidelines that describe personnel or business practices in line with the organization’s security goals. Some examples of administrative controls are policies and procedures for– employee hiring and termination, Physical access to facilities, segregation of duties, etc.

 

Security Controls necessarily fall under one of the functions of the following controls

Preventive Controls describe any security measures taken that are designed to prevent unwanted or unauthorized activity from occurring. Examples of preventive controls are physical controls like locks, alarm systems, and fencing; technical controls like antivirus software, firewalls; administrative controls like segregation of duties, data classification.

Detective Controls describe security measures implemented to detect and alert unwanted or unauthorized activity in progress or after it has occurred. Examples of detective controls are door alarms, fire alarms, Honeypots, and IDSs.

Corrective Controls describe any measures taken to repair the damage or restore resources to their prior state an unwanted or unauthorized activity. Examples of corrective controls are patching a system, terminating a system, Incident response plan.

Control Functions
Preventive Detective Corrective
Control Types Physical Parameter fencing, Gates,

Locks

CCTV and Surveillance Camera logs Repair Physical damage, reissue access cards
Technical IPS, MFA, Firewalls, and Antivirus IDS, Honeypots Patch a system, terminate a process
Administrative Hiring and termination policies, segregation of duties Review access rights, audit logs, and unauthorized changes Implementing Incident Response and BCP plans

 Diagram: Control types across different control functions with their examples

These are not chosen or implemented arbitrarily. While choosing security controls for an organization, the security professionals should take into consideration—the risk management process of the organizations, the strategies and of an organization w.r.t IT security, Industry of the organization, Applicable laws/ regulations.

Security professionals while implementing security controls generally opt for a combinational approach, where two or more types of controls are implemented simultaneously. These controls are tailored to the strategies and compliance goals of the organization. The ultimate goal of these security controls is to uphold the three basic foundational principles of security—Confidentiality, Integrity, and Availability.

Want to connect, please click here.

 

Author,

Sobiya Munshi,

Audit and Compliance Team,

Varutra Consulting Pvt. Ltd.

kalpblogger

Recent Posts

Complete Guide to SQL Injection Vulnerabilities: How to Protect Your Applications

Introduction In the era of digitalization, data security has become a paramount concern. Every day,…

3 days ago

Bluetooth Vulnerability: Implications and Mitigations for Android, macOS, iOS, and Linux Devices

I.Introduction Bluetooth has become an integral technology for billions of smartphones, computers, wearables, and other…

2 weeks ago

The MITRE ATT&CK Framework and SOAR: A Dynamic Duo in Cybersecurity

I. Introduction In today's ever-evolving cybersecurity landscape, staying ahead of adversaries has become a challenge.…

1 month ago

The Benefits of SEBI Security Audit and Governance: Safeguarding Investors’ Interests

Introduction In an increasingly interconnected world, the financial industry is becoming more vulnerable to cyber…

1 month ago

Root Detection Bypass Vulnerabilities: A Crucial Aspect of Mobile App Security

Introduction In today's interconnected world, where smartphones are an extension of our lives, ensuring the…

7 months ago

How to Detect & Mitigate Zero-Day Threats in Your Business Infrastructure?

Introduction Unseen and unpredictable, zero-day threats loom as a constant menace to modern businesses. Detecting…

8 months ago