A defense or countermeasure to put in place to manage risk.
Policies, strategies, technologies, configuration settings, etc. established in collaboration with various departments of an organization to help mitigate known risks.
The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be an administrative, technical, management, or legal nature.
Technical / Logical Controls
Implemented through technology.
May be deterrent, preventive, detective, or compensating.
Examples:
Patching
Firewalls, IDS/IPS
Access Controls
Administrative / Management Controls Purpose: to implement security policies based on procedures, standards, and guidelines.
Documents, policies, procedures, and guidelines.
Acceptable Use Policy
Incident Response Plan (IRP)
People/Personnel
Security Operations Center
Guards
Surveillance
Security Awareness Training
Physical / Operational Controls
Reduce the risk of harm coming to physical property, information, computer systems, or other assets.
Examples:
Hardened Facility
Locks
Badges
Deterrent Controls
Intended to discourage individuals from intentionally violating security policies, procedures, or technologies.
Highly visible.
Prevent offenses or abuses by influencing choices.
Preventive Controls
Stop an unwanted event.
Proactive measures.
Examples:
Access, authentication, authorization, verification.
Separation of Duties
Technical Standards
Network Security - Firewalls, IPS
Internet Filtering
Detective Controls
Warning of anomalies or violations.
Automated or Manual
Reactive
Examples:
Cameras
Motion Sensors
Intrusion Detection System / SIEM
Audits
Corrective Controls
Measures to lessen harmful effects or restore the system being impacted.
Mostly reactive measures.
Examples:
Patching/Upgrades
Hardening (Physical / Logical)
Process Improvements
Compensating Control
Alternate controls that are intended to reduce the risk of an existing or potential control weakness.
Mechanism that satisfies a required security measure.
PCI DSS:
Meet the intent and rigor of the original stated requirement.
Provide a similar level of defense as the original requirement.
Be "above and beyond" other requirements.
Be commensurate with the additional risk imposed by not adhering to the requirement.
​