Security Control
A mechanism, policy, procedure, or technology designed to prevent security events, minimize their impact, and limit damage if an incident occurs.
Technical Control
A security control implemented through technology or computer systems, such as firewalls, antivirus software, and operating system access controls. These operate automatically without human intervention.
Managerial Control
Also called administrative controls. Involves planning, design, and governance of security β security policies, SOPs, risk assessments. Defines how security is managed at an organizational level.
Operational Control
Controls implemented and carried out by people rather than systems. Includes security guards, employee awareness programs, and operational procedures for handling sensitive information.
Physical Control
Controls that limit or prevent physical access to buildings, rooms, or equipment. Examples: guard shacks, fences, locks, and badge readers.
Preventive Control
A control type designed to block unauthorized access or security incidents before they occur. Examples: firewall rules, door locks, guard shack ID checks.
Deterrent Control
A control that discourages attackers from attempting an intrusion. Does not directly prevent access β it makes attacks less likely by creating a psychological barrier. Examples: warning signs, visible cameras, legal splash screens.
Detective Control
A control that identifies and records security incidents during or after their occurrence. Used to detect suspicious activity and collect evidence. Examples: log reviews, motion detectors, SIEM alerts.
Corrective Control
A control applied after an incident has been detected. Purpose is to restore systems, mitigate damage, and resume operations. Examples: restoring from backup, contacting law enforcement, fire extinguisher use.
Compensating Control
An alternative security measure used when a primary control is insufficient or cannot be implemented immediately. Often temporary. Example: blocking a vulnerable app via firewall instead of patching it.
Directive Control
A control that guides individuals toward compliant and secure behavior through instructions and policies. Considered relatively weak because it relies on people following directions. Examples: "Authorized Personnel Only" signs, training, compliance policies.
Defense in Depth
A security strategy that uses multiple layers of controls so that if one fails, others remain in place. No single control is relied upon exclusively.
Standard Operating Procedure (SOP)
A set of step-by-step instructions for performing routine operations. SOPs are a form of managerial/administrative control that ensure consistent security practices.
Badge Reader
An electronic device that reads access badges to control entry to physical spaces. A physical control that also creates an audit log of entry events.
Firewall
A technical control that monitors and filters incoming/outgoing network traffic based on defined security rules. Can be both preventive (blocking traffic) and detective (logging events).
Separation of Duties
A compensating control that requires more than one person to complete a sensitive task. Reduces the risk of fraud or insider abuse because no single person has total control.
Ransomware Mitigation
A corrective control strategy β typically restoring data from unaffected backups β to recover from a ransomware attack and resume operations.