Implementing Security Controls
As an organization analyzes its risk environment, technical and business leaders determine the level of protection required to preserve the confidentiality, integrity, and availability of their information and systems.
They express these requirements by writing the control objectives that the organization wishes to achieve. These control objectives are statements of a desired security state, but they do not, by themselves, actually carry out security activities. Security controls are specific measures that fulfill the security objectives of an organization.
Security Control Categories
Security controls are categorized based on their mechanism of action: the way that they achieve their objectives.
There are Three different categories of security control:
👾Technical Controls
These are the security measures that the computer system carries out independently.
They are often embedded in the operating systems and other software so they can control access to data and resources. Examples of Technical Controls include:
Firewalls: These are systems designed to prevent unauthorized access to or from a private network. Intrusion detection systems (IDS) and intrusion prevention systems (IPS): These systems monitor network traffic for suspicious activity and issue alerts when such activity is discovered. Access controls: These controls restrict who or what can view or use resources in a computing environment. Encryption: This is a method of converting data into a code to prevent unauthorized access. ⚠️Operational Controls
Operational Controls: These are the day-to-day procedures and mechanisms put in place to enhance the security of an organization.
They are primarily implemented and executed by people as opposed to systems. Examples of operational controls include:
Physical security: This includes controls like locks, security guards, and CCTV systems that physically protect an organization's assets. Backup and recovery procedures: These procedures ensure that important data can be recovered in the event of a loss. Configuration management: This involves maintaining an inventory of all hardware and software components within an organization and ensuring they are properly configured. Change management: This process ensures that changes to the system or environment are documented and authorized to prevent unauthorized alterations that could impact security. 👨🏾💼Managerial Controls
Managerial (or Administrative) Controls: These are the policies and procedures implemented by an organization's management to define the rules for behavior within the organization.
They are focused on managing the organization's risk and the security posture of the system. Examples of managerial controls include:
Security policies and procedures: These documents outline the security measures an organization has in place and how they are to be used. Risk assessment: This is the process of identifying and assessing the potential risks that could harm an organization's operations or assets. Security training and awareness programs: These programs ensure that employees are aware of the potential security threats and understand the organization's security policies. Incident response plans: These plans outline the steps an organization will take in the event of a security incident. Organizations should select a set of security controls that meets their control objectives based on the criteria and parameters that they either select for their environment or have imposed on them by outside regulators.
🪪Security Control Types
CompTIA also divides security into types, based on their desired effect. The types of security control include the following:
Preventive Controls: These are designed to prevent an incident from occurring. They are proactive measures that aim to stop a threat before it can exploit a vulnerability. Examples include firewalls, antivirus software, user training, strong passwords, and security policies. Detective Controls: These are designed to identify and react to an incident that has occurred or is occurring. They are reactive measures that aim to discover attacks and trigger preventive measures or corrective actions. Examples include intrusion detection systems (IDS), log monitoring, security audits, and surveillance cameras. Corrective Controls: These are designed to mitigate the damage caused by an incident. They come into play during or after an incident and aim to limit the extent of any damage and recover the system to normal as quickly as possible. Examples include backup and restore procedures, disaster recovery plans, and system hardening after an attack. Deterrent Controls: These are designed to discourage a potential attacker. While they may not prevent an attack, they make the system less attractive to potential attackers by increasing the risk of detection or punishment. Examples include warning banners stating that unauthorized access is prohibited, security badges, and security guards. Compensating Controls: These are alternative controls used when a primary control is not feasible or cost-effective. They provide a similar level of protection and are often used when the primary control can't be applied. For example, if a system cannot support the latest encryption standard (a primary control), a compensating control might be to implement additional network segmentation or monitoring. Often related to compliance. Physical Controls: These are physical measures used to prevent unauthorized access to physical assets such as buildings, systems, and data centers. They are a type of preventive control. Examples include locks, fences, security guards, CCTV cameras, and biometric access controls like fingerprint scanners or facial recognition systems. 
5.1 Compare and Contrast various types of controls
