Categories of Control

You can increase operational security and protect an organization's assets in many ways. To a large degree, operational security is about control. There are six broad categories of controls:

• Preventive controls Mechanisms and tools designed to prevent actions that increase risk or violate security policies. Physical barriers such as fences and locks are examples of a preventive control.
• Detective controls Processes, tools, or methods used to identify and react to security violations. Administrative actions such as auditing are examples of a detective control.
• Corrective controls Applications, programs, or practices used to react to an adverse event and to reduce or eliminate risks associated with the event. A technical solution such an IDS or IPS system that can respond to an adverse event is an example of a corrective control.
• Recovery controls Practices, processes, or mechanisms to restore the operating state to normal after an attack or system failure. Technical solutions such as RAID and tape backup are examples of recovery controls.
• Deterrent controls Systems, tools, and procedures used to discourage violations. An administrative policy stating that those who place unauthorized modems or wireless devices on the network could be fired is an example of a deterrent control.
• Directive controls Procedures and documents used to preclude or mandate actions to reduce risk. An administrative policy stating that all employee candidates must have their educational and employment history background verified is an example of a directive control.

If you are wondering how to keep up with all these controls, it might help to consider that all the individual items discussed can be categorized as either an administrative, technical, or physical control.