There are many different risks to manage using existing security controls. In this video, you’ll learn about managerial, operational, technical, preventive, detective, corrective, deterrent, compensating, and physical security controls.
As IT security professionals, you will be asked to manage many different kinds of risks that you would have in the workplace. These risks may be associated with the data that’s on our systems, they might be physical property that we have at our facilities, or they may be the computer systems themselves. Our goals then are to prevent security events, if possible, to limit the impact of any events that do occur and to limit any damage that might be caused.
We’re able to provide all of this through the use of security controls. We put security controls into three major categories. The first category is a managerial control. This is a control that focuses on the design of the security or the policy implementation associated with the security. We might have a set of security policies for our organization or set of standard operating procedures that everyone is expected to follow.
The second is operational controls. These are controls that are managed by people. If we have security guards posted at the front doors or we have an awareness program to let people know that phishing is a significant concern, these would be operational controls.
And of course, we can use our own systems to prevent some of these security events from occurring, these would be technical controls. So if you’ve implemented antivirus on your workstations or there’s a firewall connecting you to the internet, you would consider these technical controls.
Let’s now list some common control types. And what’s interesting about these control types is a certain technology could fit into multiple control types. And you’ll see that as we go through these.
The first control type will look at is a preventive control. This would be something that prevents access to a particular area. Something like locks on a door or a security guard would certainly prevent access as would a firewall, especially if we have a connection to the internet.
A detective control type commonly identifies and is able to record that a security event has occurred, but it may not be able to prevent access. If you have a motion detector like this one, it can certainly identify that motion is there, but it’s not able to stop someone from walking through the room.
Same thing might apply to an IDS, which is set to alarm or alert if it identifies malicious software on the network. But an IDS is designed to only detect that traffic flow and not prevent that traffic flow. A corrective control is designed to mitigate any damage that was occurred because of a security event. For example in IPS, intrusion prevention system can identify an attack on the network and block that traffic from entering the rest of the network. Or devices on your site are infected with ransomware one way to correct that problem, through this corrective control, is to simply restore from a known good backup.
And on a larger scale if a storms hit and power has gone out, you can move everything over to a backup site and maintain the uptime and availability through that corrective control.
A deterrent may not stop an intrusion from occurring but it may deter someone from performing an intrusion. For example, if there’s a Warning sign that would let people know that you were watching for any type of problem. There could be a login banner and a sign in page that lets people know that you’re watching for the log ins. Or there might be lights around your building that might deter someone from breaking in.
A compensating control attempts to recover from an intrusion by compensating for the issues that were left behind. For example, if someone Stole a laptop with all of our data, we could compensate for that by purchasing a new laptop and restoring that data from backup. Or if someone cut the power to our data center, we could have backup power systems or generators that would compensate for that lack of power.
And a physical control type is something we would have in the real world that would prevent the security event, something like a fence or a door lock would certainly prevent someone from physically gaining access to our facility.