Skip to content

Security Control Categories

Security controls are layered across multiple categories to provide a holistic approach to cybersecurity. Think of an organization's network as a medieval castle, with multiple defense mechanisms:

  • Technical controls: Wall defenses (e.g., firewalls)
  • Physical controls: Watchtowers and guards
  • Operational controls: Procedures and plans
  • Managerial controls: Strategy and governance

4 Categories of Security Controls

  1. Technical Controls

    • Definition: Technologies, hardware, and software mechanisms that help reduce and manage risk within a system.
    • Examples:
      • Antivirus software (automated response to threats)
      • Firewalls
      • Encryption processes
      • Intrusion detection systems (IDS)
    • Function: Provide automated protection to maintain system integrity, confidentiality, and availability.

  2. Managerial Controls (Administrative Controls)

    • Definition: Strategic planning and governance measures that align security strategies with business goals and risk tolerance.
    • Examples:
      • Risk assessments (e.g., evaluating a move to cloud storage)
      • Security policies
      • Training programs
      • Incident response strategies
    • Function: Ensure informed decision-making, align security with business objectives, and foster organizational-wide security awareness.

  3. Operational Controls

    • Definition: Procedures and measures that protect data on a day-to-day basis through human actions and internal processes.
    • Examples:
      • Password change policies (e.g., changing passwords every 90 days)
      • Backup procedures
      • Account reviews
      • User awareness training programs
    • Function: Ensure continuous security, adapt to evolving threats, and maintain ongoing security practices.

  4. Physical Controls

    • Definition: Tangible, real-world measures to protect physical and digital assets from unauthorized access.
    • Examples:
      • Surveillance cameras
      • Biometric scanners
      • Reinforced doors, barbed wire fences (for data centers)
      • Secure shredding of sensitive documents
      • Security guards
    • Function: Prevent unauthorized physical access to critical infrastructure and assets.