Security Control Categories

(OBJ 1.1)

4 Broad categories of Security controls

• Technical Controls

  • Technologies, hardware, and software mechanisms that are implemented to manage and reduce risks
  • Operate within the systems technological layer
  • Examples:
    • Firewalls,
    • Intrusion Detection - Prevention (IDS, IPS),
    • Encryption Processes

• Managerial Controls

  • Sometimes also referred to as administrative controls
  • Involve the strategic planning and governance side of security
  • Ensures security strategies aligns with business stretegies
  • Examples:
    • Making informed decisions about security risks

• Operational Controls

  • Procedures and measures that are designed to protect data on a day-to-day basis
  • Are mainly governed by internal processes and human actions
  • Examples:
    • Policies of changing password every 90 days
    • Backup procedures
    • Account reviews
    • User Training Programs

• Physical Controls

  • Tangible, real-world measures taken to protect assets
  • Protect facilities that house our critical servers and devices
  • Examples:
    • Shredding of sensitive documents
    • Security guards
    • Locking the doors