Security Control Categories and Types

Asher Best • October 23, 2022

A security control is an implementation that enables an information system to remain confidential, uphold integrity, remain available and ensure non-repudiation. There are three categories of security controls: managerial, operational, and technical. There are six types of security controls: preventative, detective, corrective, deterrent, compensating, and physical.

Security Control Categories

Managerial

Managerial security controls allows for oversight of an information system. This is often useful for identifying risk or evaluating other security controls.

Operational

Operational security controls relate primarily to people rather than systems. An example would include sending out monthly training emails to personnel on common phishing techniques.

Technical

Technical security controls (also known as logical controls) are hardware, software, or firmware implementations. Creating a firewall rule to disable unknown IP addresses from accessing SSH over port 22 on a server is an example. You could also install anti-virus software on your hosts to prevent malware infection.

Security Control Types

Preventative

Preventative controls attempt to eliminate or mitigate attacks before they occur. You could implement an access control list (ACL) to disallow users who lack the appropriate permissions from accessing certain folders.

Detective

Detective controls aim to identify attacks as they occur. An example would an audit logging system to enables you to view and analyze access attempts in or near real time.

Corrective

Corrective controls attempt to eliminate or mitigate the impact of attacks after they occur. If you did your due diligence and set up a backup system beforehand, this would enable you to restore a system to a previous state after it has been breached.

Deterrent

Deterrent controls aim to discourage an attacker from attempting unauthorized access. This could include posting signage outside of a property stating that only authorized personnel are allowed access to the premises.

Compensating

Compensating security controls seek to replace another security control by achieving the same or higher level of security by utilizing different methods and technologies.

Physical

Physical security controls are a means of preventing, detecting and deterring access to on-premises assets. A key card activated lock would prevent unauthorized personnel from accessing the premises. Security cameras could provide detection of (and possibly deter) unauthorized personnel attempting to access a server room.