Types of Security Controls: Preventive, Detective, Corrective and More

  • John Berti
  •   min.
  • Updated on: 07 Nov 2024

    • Expert review
    • Home
    • /
    • Resources
    • /
    • Types of Security Controls: Preventive, Detective, Corrective and More

    A complete control strategy is crucial for safeguarding any organization's assets and information. But what truly makes a control strategy complete? The answer lies in understanding and implementing the right mix of control types.

    As a CISSP candidate, developing a deep understanding of these various control types and how they work together to create a robust security framework is essential. This knowledge forms the foundation for effectively protecting critical assets and managing risks in real-world scenarios.

    In this guide, we'll explore the key types of controls your security strategy should have in place. We'll delve into their definitions, examples, and how they contribute to a layered defense approach. Whether you're preparing for the CISSP exam or looking to strengthen your organization's security posture, you'll find valuable insights here.

    Let's dive into the world of security controls and discover how they form the backbone of a comprehensive cybersecurity strategy.

    Different Types of Security Controls

    Security controls are essential tools in managing and mitigating risks within an organization. They come in various forms, each serving a specific purpose in the overall security strategy. Understanding these different types of controls is crucial for implementing a defense-in-depth approach, also known as layered security.

    Let's explore the seven major types of controls that can be put in place to protect an organization's assets and information:

    Directive

    Directive controls direct, confine, or control the actions of subjects to force or encourage compliance with security policies. An example of a directive type of control is a mandate or a corporate policy.

    Deterrent

    Deterrent controls discourage violation of security policies. An example is a sign warning that a piece of land is private property and trespassers will be shot. Nothing prevents someone from walking past the sign, but it’s a good deterrent.

    Preventive

    Preventive controls can prevent undesired actions or events. For example, a fence that prevents someone from walking onto private property. Another example involves not having flammable materials around and therefore preventing a fire from starting.

    Detective

    Detective controls are designed to identify if an incident has occurred. Importantly, detective controls operate after an incident has already occurred. An example is a smoke alarm detecting smoke.

    Corrective

    Corrective controls are used to minimize the negative impact of an incident. An example is a fire suppression system activating.

    Recovery

    Recovery controls are designed to recover a system or process and return it to normal operations following an incident. An example is a data backup policy allowing restoration of data on an affected server after an incident has taken place.

    Compensating

    Compensating controls are typically deployed in conjunction with other controls to aid in enforcement and support of the other controls. They try to make up for the lack of other effective controls. However, compensating controls can also be used in place of another control to provide the required security. One example involves deploying a Host Intrusion Prevention System (HIPS) on a critical server, in addition to having a Network Intrusion Protection System (NIPS) operating on that server’s subnet. This way, if any offending traffic manages to slip by the NIPS tool, the HIPS on the server may still be able to prevent malware from damaging it.

    Remember that detective, recovery, and corrective controls are enforced after an incident is present. However, deterrent, directive, preventive, and compensating controls are applicable before an incident takes place. It is always better to stop something bad from happening than it is to deal with it after it has happened.

    We should aim to implement complete controls, which are combinations of preventive, detective, and corrective controls. The idea behind this is that there is no perfect preventive control, so detective and corrective controls should also be implemented in conjunction. At a minimum, you should ensure that preventive, detective, and corrective controls are implemented at each layer of defense.

    Looking for some CISSP exam prep guidance and mentoring?


    Learn about our CISSP personal mentoring

    Image of Lou Hablas mentor - Destination Certification

    Categories of Controls

    After understanding the different types of controls, it's important to recognize how these controls can be categorized. This categorization helps in understanding their nature and application in various security contexts. A way to categorize the security controls we just reviewed is as safeguards or countermeasures.

    Safeguards are proactive controls; they are put in place before an incident has occurred to deter or prevent it from manifesting. Safeguards include directive, deterrent, preventive, and compensating controls.

    Countermeasures are reactive controls. They act after an incident has occurred and aim to detect and respond to it accordingly. Countermeasures include detective, corrective, and recovery controls.

    Controls can be further classified into three main categories:

    • Administrative: Policies, procedures, baselines, and guidelines are all classified as administrative controls. Items like background checks, acceptable use policies, network policies, onboarding and offboarding policies, etc., fall into this category.
    • Logical or technical: Logical or technical controls are often software-based controls. Firewalls, IDS/IPS, AV, anti-malware, proxies, and similar tools fall under the logical or technical security controls category.
    • Physical: Physical controls are controls in the physical world. Doors, fences, gates, bollards, mantraps, and guards all fall under the physical security controls category.

    Now that we've explored the different categories of controls, you might be wondering how these categories intersect with the various control types we discussed earlier. How do administrative, logical/technical, and physical controls manifest across directive, deterrent, preventive, and other control types?

    The following table provides a comprehensive overview, illustrating how different control types can be implemented across these categories. This will give you a clearer picture of how a well-rounded security strategy incorporates various control types across different aspects of an organization.

    Type of Control

    Administrative

    Logical or Technical

    Physical

    Directive

    • Policies
    • Procedures

    N/A

    • “Authorized personnel only” signs
    • Traffic lights

    Deterrent

    • Guidelines
    • Warning banners
    • Beware of dog” signs

    Preventive

    • User registration procedures
    • Login mechanisms (security kernel)
    • Operating system restrictions
    • Fences
    • Radio Frequency (RF) ID badges

    Detective

    • Reviewing violation reports
    • SIEM systems
    • CCTV

    Corrective

    • Termination
    • Unplugging, isolating, and terminating connections
    • Fire suppression systems

    Recovery

    • DR plans
    • Backups
    • Rebuilding

    Compensating

    • Supervision
    • Job rotation
    • Logging
    • CCTV
    • Keystroke logging
    • Layered defense

    FAQs

    What are the four types of cybersecurity controls?

    The four main types of cybersecurity controls are: Preventive, Detective, Corrective, and Deterrent. These are part of the seven major types we discussed earlier, which also include directive, recovery, and compensating controls.

    What are technical security controls?

    Technical security controls, also known as logical controls, are often software-based. They include: Firewalls, Intrusion Detection/Prevention Systems (IDS/IPS), Antivirus software
    Anti-malware tools, Proxies, Security Information and Event Management (SIEM) systems,
    Login mechanisms, Operating system restrictions. These controls are implemented within the technological infrastructure to protect systems and data.

    Master the Art of Security Controls: Your Key to Effective Risk Management

    As cybersecurity threats continue to evolve, so too must our understanding and application of security controls. Staying current with these concepts is not just about passing exams—it's about being prepared to face real-world challenges in protecting critical assets and managing risks effectively.

    At Destination Certification, we recognize the importance of deep, practical knowledge in this area. That's why our CISSP and CCSP MasterClasses go beyond surface-level explanations. We delve into the nuances of security controls, exploring how they interact and how to apply them in various scenarios. Whether you're preparing for certification or looking to enhance your professional skills, our expert-led classes provide the comprehensive understanding you need to excel in the field of cybersecurity.

    Ready to dive deeper into the world of security controls and elevate your cybersecurity expertise? Explore our CISSP and CCSP MasterClasses today and take the next step in your professional journey.

    Image of John Berti - Destination Certification

    John is a major force behind the Destination Certification CISSP program's success, with over 25 years of global cybersecurity experience. He simplifies complex topics, and he utilizes innovative teaching methods that contribute to the program's industry-high exam success rates. As a leading Information Security professional in Canada, John co-authored a bestselling CISSP exam preparation guide and helped develop official CISSP curriculum materials. You can reach out to John on LinkedIn.

    John is a major force behind the Destination Certification CISSP program's success, with over 25 years of global cybersecurity experience. He simplifies complex topics, and he utilizes innovative teaching methods that contribute to the program's industry-high exam success rates. As a leading Information Security professional in Canada, John co-authored a bestselling CISSP exam preparation guide and helped develop official CISSP curriculum materials. You can reach out to John on LinkedIn.

    The easiest way to get your CISSP Certification 


    Learn about our CISSP MasterClass

    Image of masterclass video - Destination Certification
    >