Security Control Categories

Security controls protect a system or data asset by ensuring confidentiality, integrity, availability, and non-repudiation. Depending on how they are implemented, these controls can be categorized as managerial, operational, technical, or physical. Examples include risk assessments (managerial), security guard patrols (operational), firewalls (technical), and security cameras (physical).

Key points:

Confidentiality: Limiting access to information to authorized users only.

Integrity: Ensuring data is accurate and not tampered with.

Availability: Guaranteeing that information is accessible to authorized users when needed.

Non-repudiation: Preventing a user from denying their actions on a system.

Control categories:

Managerial:

Policies, procedures, risk assessments, and oversight functions performed by management.

Operational:

Actions taken by users and system administrators, like security awareness training and access control procedures.

Technical:

Hardware and software mechanisms like firewalls, encryption, and access control systems.

Physical:

Physical security measures include locks, alarms, cameras, mantraps, access control vestibule, turnstiles, and site access controls.

Example controls in each category:

Managerial: Security policy document, risk management process, vendor assessment

Operational: User access reviews, password management procedures, incident response plan

Technical: Intrusion detection system, antivirus, port security, 802.1x, least privilege using group policy, data encryption, antivirus software

Physical: Building access control system, security cameras, data center environmental controls