Security Control Types
Security Control Types
Security Control Types
Security controls
To help review or design security controls, they can be classified by several criteria, for
example according to the time that they act, relative to a security incident:
Before the event, preventive controls are intended to prevent an incident from
occurring e.g. by locking out unauthorized intruders;
During the event, detective controls are intended to identify and characterize an
incident in progress e.g. by sounding the intruder alarm and alerting the security
guards or police;
After the event, corrective controls are intended to limit the extent of any damage
caused by the incident e.g. by recovering the organization to normal working status
as efficiently as possible.
Security controls can also be categorized according to their nature, for example:
Physical controls e.g. fences, doors, locks and fire extinguishers;
Procedural controls e.g. incident response processes, management oversight,
security awareness and training;
Technical controls e.g. user authentication (login) and logical access controls,
antivirus software, firewalls;
Legal and regulatory or compliance controls e.g. privacy laws, policies and
clauses.
Organizations may also opt to demonstrate the adequacy of their information security
controls by being independently assessed against certification standards such as ISO/IEC
27001.