Security Control Types

Security controls are implemented to address specific threats and vulnerabilities within an organization. There are six basic types of security controls, each serving a different function:

• Preventative Controls
• Deterrent Controls
• Detective Controls
• Corrective Controls
• Compensating Controls
• Directive Controls

---

6 Control Types

1. Preventative Controls

   • Definition: Proactive measures designed to prevent potential security threats or breaches before they happen.
   • Purpose: Fortify systems to stop incidents from occurring.
   • Examples:
     • Firewalls (block harmful data packets before they penetrate the network)
     • Antivirus software (prevents malware infections)
     • Access control mechanisms
   • Function: Prevent security incidents before they can impact the system.

2. Deterrent Controls

   • Definition: Controls aimed at discouraging potential attackers by making threats seem less appealing or more challenging.
   • Purpose: Deter attackers from attempting to compromise systems.
   • Examples:
     • Warning signs (e.g. "Surveillance cameras in use" outside a property)
     • Monitoring banners (on websites or networks to indicate surveillance)
     • Visible security systems (e.g. alarm systems, security guards)
   • Function: Make the effort of attacking appear more risky or not worth it.

3. Detective Controls

   • Definition: Controls that monitor and alert organizations to malicious activities as they occur or shortly thereafter.
   • Purpose: Detect and notify organizations of incidents in real-time.
   • Examples:
     • Security cameras (monitor and record activities)
     • Intrusion Detection Systems (IDS) (monitor network traffic for unusual behavior)
     • Log monitoring tools (track suspicious user activity)
   • Function: Detect and notify of security breaches or suspicious activities.

4. Corrective Controls

   • Definition: Controls that respond to security incidents after detection, aiming to mitigate damage and restore systems to normal.
   • Purpose: Recover and restore systems after an attack.
   • Examples:
     • Antivirus software (detects and removes malware)
     • Incident response actions (e.g. isolating affected systems, restoring backups)
     • System reconfigurations after a breach
   • Function: Mitigate damage and return systems to a secure state.

5. Compensating Controls

   • Definition: Alternative measures implemented when primary controls are not feasible or effective.
   • Purpose: Provide continued protection when ideal controls cannot be used.
   • Examples:
     • Using WPA2 encryption with a VPN on legacy systems instead of WPA3 encryption.
     • Extra layers of security (e.g. implementing additional monitoring tools when a primary control fails)
   • Function: Offer backup protections when the best solution isn't available.

6. Directive Controls

   • Definition: Controls that guide, inform, or mandate specific actions or behaviors.
   • Purpose: Set policies and guidelines to ensure proper security conduct within the organization.
   • Examples:
     • Acceptable Use Policy (AUP) (sets guidelines for how employees can use IT assets)
     • Security policies and procedures (define security protocols)
     • Training and awareness programs (inform users of best practices)
   • Function: Provide direction on behavior and security procedures to ensure consistency and compliance.