A complete control strategy is crucial for safeguarding any organization's assets and information. But what truly makes a control strategy complete? The answer lies in understanding and implementing the right mix of control types.
As a CISSP candidate, developing a deep understanding of these various control types and how they work together to create a robust security framework is essential. This knowledge forms the foundation for effectively protecting critical assets and managing risks in real-world scenarios.
In this guide, we'll explore the key types of controls your security strategy should have in place. We'll delve into their definitions, examples, and how they contribute to a layered defense approach. Whether you're preparing for the CISSP exam or looking to strengthen your organization's security posture, you'll find valuable insights here.
Let's dive into the world of security controls and discover how they form the backbone of a comprehensive cybersecurity strategy.
Different Types of Security Controls
Security controls are essential tools in managing and mitigating risks within an organization. They come in various forms, each serving a specific purpose in the overall security strategy. Understanding these different types of controls is crucial for implementing a defense-in-depth approach, also known as layered security.
Let's explore the seven major types of controls that can be put in place to protect an organization's assets and information:
Directive | Directive controls direct, confine, or control the actions of subjects to force or encourage compliance with security policies. An example of a directive type of control is a mandate or a corporate policy. |
Deterrent | Deterrent controls discourage violation of security policies. An example is a sign warning that a piece of land is private property and trespassers will be shot. Nothing prevents someone from walking past the sign, but it’s a good deterrent. |
Preventive | Preventive controls can prevent undesired actions or events. For example, a fence that prevents someone from walking onto private property. Another example involves not having flammable materials around and therefore preventing a fire from starting. |
Detective | Detective controls are designed to identify if an incident has occurred. Importantly, detective controls operate after an incident has already occurred. An example is a smoke alarm detecting smoke. |
Corrective | Corrective controls are used to minimize the negative impact of an incident. An example is a fire suppression system activating. |
Recovery | Recovery controls are designed to recover a system or process and return it to normal operations following an incident. An example is a data backup policy allowing restoration of data on an affected server after an incident has taken place. |
Compensating | Compensating controls are typically deployed in conjunction with other controls to aid in enforcement and support of the other controls. They try to make up for the lack of other effective controls. However, compensating controls can also be used in place of another control to provide the required security. One example involves deploying a Host Intrusion Prevention System (HIPS) on a critical server, in addition to having a Network Intrusion Protection System (NIPS) operating on that server’s subnet. This way, if any offending traffic manages to slip by the NIPS tool, the HIPS on the server may still be able to prevent malware from damaging it. |
Remember that detective, recovery, and corrective controls are enforced after an incident is present. However, deterrent, directive, preventive, and compensating controls are applicable before an incident takes place. It is always better to stop something bad from happening than it is to deal with it after it has happened.
We should aim to implement complete controls, which are combinations of preventive, detective, and corrective controls. The idea behind this is that there is no perfect preventive control, so detective and corrective controls should also be implemented in conjunction. At a minimum, you should ensure that preventive, detective, and corrective controls are implemented at each layer of defense.
Looking for some CISSP exam prep guidance and mentoring?
Learn about our CISSP personal mentoring
Categories of Controls
After understanding the different types of controls, it's important to recognize how these controls can be categorized. This categorization helps in understanding their nature and application in various security contexts. A way to categorize the security controls we just reviewed is as safeguards or countermeasures.
Safeguards are proactive controls; they are put in place before an incident has occurred to deter or prevent it from manifesting. Safeguards include directive, deterrent, preventive, and compensating controls.
Countermeasures are reactive controls. They act after an incident has occurred and aim to detect and respond to it accordingly. Countermeasures include detective, corrective, and recovery controls.
Controls can be further classified into three main categories:
- Administrative: Policies, procedures, baselines, and guidelines are all classified as administrative controls. Items like background checks, acceptable use policies, network policies, onboarding and offboarding policies, etc., fall into this category.
- Logical or technical: Logical or technical controls are often software-based controls. Firewalls, IDS/IPS, AV, anti-malware, proxies, and similar tools fall under the logical or technical security controls category.
- Physical: Physical controls are controls in the physical world. Doors, fences, gates, bollards, mantraps, and guards all fall under the physical security controls category.
Now that we've explored the different categories of controls, you might be wondering how these categories intersect with the various control types we discussed earlier. How do administrative, logical/technical, and physical controls manifest across directive, deterrent, preventive, and other control types?
The following table provides a comprehensive overview, illustrating how different control types can be implemented across these categories. This will give you a clearer picture of how a well-rounded security strategy incorporates various control types across different aspects of an organization.
Type of Control | Administrative | Logical or Technical | Physical |
---|---|---|---|
Directive |
| N/A |
|
Deterrent |
|
|
|
Preventive |
|
|
|
Detective |
|
|
|
Corrective |
|
|
|
Recovery |
|
|
|
Compensating |
|
|
|
FAQs
The four main types of cybersecurity controls are: Preventive, Detective, Corrective, and Deterrent. These are part of the seven major types we discussed earlier, which also include directive, recovery, and compensating controls.
Technical security controls, also known as logical controls, are often software-based. They include: Firewalls, Intrusion Detection/Prevention Systems (IDS/IPS), Antivirus software
Anti-malware tools, Proxies, Security Information and Event Management (SIEM) systems,
Login mechanisms, Operating system restrictions. These controls are implemented within the technological infrastructure to protect systems and data.
Master the Art of Security Controls: Your Key to Effective Risk Management
As cybersecurity threats continue to evolve, so too must our understanding and application of security controls. Staying current with these concepts is not just about passing exams—it's about being prepared to face real-world challenges in protecting critical assets and managing risks effectively.
At Destination Certification, we recognize the importance of deep, practical knowledge in this area. That's why our CISSP and CCSP MasterClasses go beyond surface-level explanations. We delve into the nuances of security controls, exploring how they interact and how to apply them in various scenarios. Whether you're preparing for certification or looking to enhance your professional skills, our expert-led classes provide the comprehensive understanding you need to excel in the field of cybersecurity.
Ready to dive deeper into the world of security controls and elevate your cybersecurity expertise? Explore our CISSP and CCSP MasterClasses today and take the next step in your professional journey.
John is a major force behind the Destination Certification CISSP program's success, with over 25 years of global cybersecurity experience. He simplifies complex topics, and he utilizes innovative teaching methods that contribute to the program's industry-high exam success rates. As a leading Information Security professional in Canada, John co-authored a bestselling CISSP exam preparation guide and helped develop official CISSP curriculum materials. You can reach out to John on LinkedIn.
John is a major force behind the Destination Certification CISSP program's success, with over 25 years of global cybersecurity experience. He simplifies complex topics, and he utilizes innovative teaching methods that contribute to the program's industry-high exam success rates. As a leading Information Security professional in Canada, John co-authored a bestselling CISSP exam preparation guide and helped develop official CISSP curriculum materials. You can reach out to John on LinkedIn.
The easiest way to get your CISSP Certification
Learn about our CISSP MasterClass