A defense or countermeasure to put in place to manage risk.
Policies, strategies, technologies, configuration settings, etc. established in collaboration with various departments of an organization to help mitigate known risks.
The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be an administrative, technical, management, or legal nature.
Technical / Logical Controls
Implemented through technology.
May be deterrent, preventive, detective, or compensating.
Administrative / Management Controls Purpose: to implement security policies based on procedures, standards, and guidelines.
Documents, policies, procedures, and guidelines.
Acceptable Use Policy
Incident Response Plan (IRP)
Security Operations Center
Security Awareness Training
Physical / Operational Controls
Reduce the risk of harm coming to physical property, information, computer systems, or other assets.
Intended to discourage individuals from intentionally violating security policies, procedures, or technologies.
Prevent offenses or abuses by influencing choices.
Stop an unwanted event.
Access, authentication, authorization, verification.
Separation of Duties
Network Security - Firewalls, IPS
Warning of anomalies or violations.
Automated or Manual
Intrusion Detection System / SIEM
Measures to lessen harmful effects or restore the system being impacted.
Mostly reactive measures.
Hardening (Physical / Logical)
Alternate controls that are intended to reduce the risk of an existing or potential control weakness.
Mechanism that satisfies a required security measure.
Meet the intent and rigor of the original stated requirement.
Provide a similar level of defense as the original requirement.
Be "above and beyond" other requirements.
Be commensurate with the additional risk imposed by not adhering to the requirement.