Skip to content

Comparing Security Controls

Jump to bottom
Mahesh Shukla - JailBreaker edited this page Jun 12, 2024 · 1 revision

Technical Controls

Technical control mechanisms are implemented using hardware, software, and/or firmware components. These controls can be native to the system or supplemental to existing controls. They are designed to protect the integrity, confidentiality, and availability of information systems.

Examples:

  • Firewalls: A firewall can be a hardware device or software application that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between trusted and untrusted networks, filtering traffic to prevent unauthorized access.
  • Cryptography: Cryptography involves the use of algorithms to encrypt data, ensuring that it remains confidential and secure during transmission or storage. Examples include SSL/TLS for secure web browsing, and AES for data encryption.
  • Authentication Systems: These systems verify the identity of users before granting access to resources. Examples include password-based systems, biometric systems (fingerprint or facial recognition), and two-factor authentication (2FA).

Managerial Controls

Managerial controls are related to the governance, oversight, strategic alignment, and decision-making processes within an organization. They are essential for risk management and ensuring that security policies and procedures are effectively implemented and maintained.

Examples:

  • Risk Assessments: This involves identifying, evaluating, and prioritizing risks to an organization's assets and operations. The goal is to understand the potential impact of different threats and determine the best ways to mitigate them.
  • Project Management: Effective project management ensures that security projects are planned, executed, and monitored properly. This includes setting objectives, managing resources, and ensuring that security requirements are met.

Operational Controls

Operational controls are aligned with processes that are primarily implemented and executed by people. These controls ensure that day-to-day operations follow security policies and procedures.

Examples:

  • Change Configuration Management: This involves tracking and managing changes to IT systems to ensure that they do not negatively impact security. It includes documenting changes, assessing their impact, and obtaining approval before implementation.
  • Training: Regular security training and awareness programs help employees understand security policies, recognize threats, and respond appropriately.
  • Testing: Regular testing of security systems and procedures, such as penetration testing and vulnerability assessments, helps identify and address weaknesses.

Physical Controls

Physical controls are designed to address physical interactions, generally related to buildings and equipment. They protect physical assets from unauthorized access, damage, or theft.

Examples:

  • Gates, Barricades, Locks: These physical barriers prevent unauthorized access to sensitive areas. For example, gates and barricades can control access to a facility, while locks can secure individual rooms or devices.
  • Security Guards: Human security personnel can monitor and control access to a facility, respond to incidents, and enforce security policies.

Deterrent Controls

Deterrent controls are designed to discourage threat agents from taking undesirable actions. By making it clear that there are consequences for malicious behavior, deterrent controls reduce the likelihood of an attack.

Examples:

  • Warning Signs: Signs indicating that an area is under surveillance or that trespassing is prohibited can deter unauthorized access.
  • Policies and Procedures: Clearly communicated policies, such as acceptable use policies, can deter employees from engaging in risky behavior.

Preventative Controls

Preventative controls stop a threat agent from being successful in their malicious activities. These controls are proactive measures designed to prevent security incidents before they occur.

Examples:

  • Access Controls: Mechanisms such as user authentication and authorization prevent unauthorized individuals from accessing sensitive information or systems.
  • Encryption: Encrypting data ensures that even if it is intercepted, it cannot be read without the proper decryption key.

Diagram

controls_cross_over

Detective Controls

Detective controls identify and report a threat agent or action, allowing an organization to respond to security incidents promptly. These controls provide visibility into security events and help detect potential issues.

Examples:

  • Intrusion Detection Systems (IDS): IDS monitor network traffic for suspicious activity and generate alerts when potential threats are detected.
  • Log Analysis: Regularly reviewing logs from various systems (e.g., firewalls, servers) helps identify unusual patterns or activities that may indicate a security incident.

Corrective Controls

Corrective controls minimize the impact of a threat agent or modify or fix a situation after a security incident has occurred. These controls aim to restore normal operations and prevent future incidents.

Examples:

  • Backup and Restore Procedures: Regular backups ensure that data can be recovered in case of a loss or corruption. Restore procedures help return systems to their normal state.
  • Patch Management: Applying patches to fix known vulnerabilities in software reduces the risk of exploitation.

compensating_controls

Compensating Controls

Compensating controls are implemented in lieu of a recommended control that provides equivalent or comparable protection. These controls can be used when the recommended control is not feasible or does not provide sufficient protection.

Examples:

  • Temporary Firewalls: In the case of a zero-day vulnerability, a temporary firewall rule might be implemented to block traffic until a proper patch is available.
  • Additional Monitoring: If a primary control is not effective, additional monitoring might be implemented to detect and respond to potential threats.

Directive Controls

directive_controls

Directive controls are proactive actions taken to cause or encourage a desirable event or outcome to occur. They are broad in nature and often used to increase the effectiveness of other controls.

Examples:

  • Frameworks and Models: Security frameworks like NIST or ISO provide guidelines and best practices for implementing comprehensive security programs.
  • Policies and Guidance Statements: Security policies, procedures, and guidance documents help ensure that everyone in the organization understands their roles and responsibilities related to security.

Security in Action

security_in_action

To illustrate how these controls work together in practice, consider the following scenarios:

  • Physical Security: A server room might be secured with locks on the doors (preventative), monitored by motion sensor alarms (detective), and patrolled by security guards (deterrent).
  • Technical Security: Network security can be enhanced with firewalls that filter incoming and outgoing traffic (preventative), logging mechanisms that track network activity (detective), and regular updates to firewall rules and antivirus definitions (corrective).
  • Managerial Security: An organization might conduct annual web application audits to identify vulnerabilities (detective) and implement project management practices to ensure that security projects are completed on time and within budget (managerial).
  • Operational Security: Regular updates and patches to software systems (corrective), employee training on security best practices (operational), and change configuration management to control and document system changes (operational).

By understanding and implementing these various types of controls, organizations can build a robust security posture that protects against a wide range of threats.

Clone this wiki locally