• A defense or countermeasure to put in place to manage risk.
  • Policies, strategies, technologies, configuration settings, etc. established in collaboration with various departments of an organization to help mitigate known risks.
  • The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be an administrative, technical, management, or legal nature.

Control Categories

  • Technical / Logical Controls
    • Implemented through technology.
    • May be deterrent, preventive, detective, or compensating.
    • Examples:
      • Patching
      • Firewalls, IDS/IPS
      • Access Controls
  • Administrative / Management Controls Purpose: to implement security policies based on procedures, standards, and guidelines.
  • Documents, policies, procedures, and guidelines.
    • Acceptable Use Policy
    • Incident Response Plan (IRP)
  • People/Personnel
    • Security Operations Center
    • Guards
    • Surveillance
  • Security Awareness Training
  • Physical / Operational Controls
    • Reduce the risk of harm coming to physical property, information, computer systems, or other assets.
    • Examples:
      • Hardened Facility
      • Locks
      • Badges

Control Types

  • Deterrent Controls
    • Intended to discourage individuals from intentionally violating security policies, procedures, or technologies.
    • Highly visible.
    • Prevent offenses or abuses by influencing choices.
  • Preventive Controls
    • Stop an unwanted event.
    • Proactive measures.
    • Examples:
      • Access, authentication, authorization, verification.
      • Separation of Duties
      • Technical Standards
      • Network Security - Firewalls, IPS
      • Internet Filtering
  • Detective Controls
    • Warning of anomalies or violations.
    • Automated or Manual
    • Reactive
    • Examples:
      • Cameras
      • Motion Sensors
      • Intrusion Detection System / SIEM
      • Audits
  • Corrective Controls
    • Measures to lessen harmful effects or restore the system being impacted.
    • Mostly reactive measures.
    • Examples:
      • Patching/Upgrades
      • Hardening (Physical / Logical)
      • Process Improvements
  • Compensating Control
    • Alternate controls that are intended to reduce the risk of an existing or potential control weakness.
    • Mechanism that satisfies a required security measure.
    • PCI DSS:
      • Meet the intent and rigor of the original stated requirement.
      • Provide a similar level of defense as the original requirement.
      • Be "above and beyond" other requirements.
      • Be commensurate with the additional risk imposed by not adhering to the requirement.
Copy link
On this page
Control Categories
Control Types