Controls Categories and Goals
Organizations put controls in place to limit harm. Controls can be classified by how they are carried out (category) or by their goal (types). Multiple control types and goals should be employed in a defense-in-depth strategy.
Learning Objectives
By the end of this lesson you should be able to:
- identify the 4 control categories,
- describe the goal of the control types.
Control Categories
There are 4 control categories.
- Managerial: Managerial controls involve the creation of security policy. Organization leaders identify risks and decide which operational, technical, and physical controls are required to reach their security objectives. The costs and benefits of controls are weighed and an appropriate balance is chosen.
- Operational: Operational controls are carried out by people following established security policy. An analyst might review access logs at the end of each week as dictated in established company policy. An access administrator might create accounts for new employees per company policy.
- Technical: Technical controls operate without human intervention. Examples include antivirus, web filtering software, and access controls. Managers may have decided to install website-blocking software on all company laptops. That blocking software will run without any manual human intervention.
- Physical: Physical controls are things that you can touch. Fire extinguishers, paper shredders, door locks, and security cameras are physical controls.
Control Types
- Preventive: Can we stop bad things from happening? A locked door can prevent theft. Antivirus software can prevent known malware from infecting machines. Website-blocking software can prevent people from using company resources inappropriately.
- Deterrent: Can we convince people to act appropriately? Employees might be warned that installing software on their computers could result in discipline. Security cameras monitoring point-of-sale systems might deter employees from sneaking a few dollars into their wallets.
- Detective: If bad things happen, will we know? Detective controls often involve monitoring clients and servers. Logs of computer activity might be sent to a central server for analysis. Malicious activities hopefully trigger alarms that let people know that action needs to be taken.
- Corrective: When bad things happen, can the damage be undone? For example, if data was deleted by a hacker, can the data be restored from backup? If a web developer accidentally deletes the company's logo, can it be restored? Corrective controls often involve backup and restore features. Organizations must decide how much data they are willing to lose because backing everything up in real-time can be expensive. Many organizations perform nightly backups which means that an entire day's data could be lost if systems crash during the day.
- Compensating: If a primary control is not feasible, a compensating control may be used. For example, employees might need to wear identification badges at the office. But what happens when an employee forgets his badge? There may be a process in place whereby an employee is authorized to wear a temporary badge so that he can do his job. The process would likely involve identifying the employee using his driver's license or other official ID, getting his manager's approval, and a security guard logging the use of a temporary badge.
- Directive: Develop and explain controls to an organization. Policies must be deliberated, documented, and disseminated. A policy is of no use if nobody knows about it or it is never implemented.
Control Matrix
Consider the following matrix that describes sample controls put in place to prevent malware from causing harm to an organization. The use of several types and categories of controls is known as control diversity.
| Anti-Virus | Managerial | Operational | Technical | Physical |
|---|---|---|---|---|
| Preventive | Choose the anti-virus product to fit their needs | Creates anti-virus installation | Antivirus runs 24/4 | not applicable |
| Deterrent | Penalties for prohibited software installation created | User onboarding includes warnings | Administrative rights removed | not applicable |
| Detective | Choose anti-virus with central monitoring | Monitor anti-virus alerts | Antivirus sends reports | not applicable |
| Corrective | Choose backup provider and backup frequency | Manually restore files as needed | Nightly backups run automatically | Backups locked off-site |
| Compensating | Create policies that reduce malware harm | Quarantine infected machines | File integrity monitoring software installed | Not applicable |
| Directive | Establish overall antivirus policy | Delivery anti-virus training quartly | Policies published on the intranet | Not applicable |
Fictional Scenario 1: Frost Treats
Frost Treats is a Marquette, Michigan ice cream store on 3rd Street. The owner has heard a lot about cybersecurity and wants to improve Frosty Treat's security posture. The owner has implemented the following controls. What is wrong with the owner's approach?
- To prevent theft, the owner has positioned two armed security guards at the ordering window.
- A fleet of drones patrol the sky looking for suspicious vehicles.
- Employees must provide 3 forms of government identification before entering the building to work.
- Employees must pass through a metal detector going in and out of work.
- Three nightly backups of the company's accounts are taken. One of the backups is driven to a bunker in Minnesota by an off-duty police officer. Another backup is taken 50 miles offshore in Lake Superior by a retired fisherman. The third backup is stored in an abandoned mineshaft in Ishpeming.
Fictional Scenario 2: Peri Corp
Peri Corp does not want anything malicious to happen on its network. It has implemented the following controls. What is wrong with Peri Corp's controls?
- Intensive email scanning blocks virtually all malicious email attachments.
- An inbound firewall filters attacks from the internet.
- An intrusion prevention system (IPS) scans traffic from the internet for malicious traffic patterns.
- The company's website is served from a segmented portion of the network that is not accessible from internal company systems.
- The company has razor wire fencing preventing unauthorized visitors from entering its buildings.
Peri Corp is so confident that they will block all malicious threats from the internet that they don't take backups or run anti-virus.
Summary
Organizations must use different controls from all categories and types. No single control can prevent all harm. Using a variety of control categories and types is known as control diversity--one form of a defense-in-depth strategy.
Challenge
How would you classify the following controls according to the category and type?
- Security cameras
- Antivirus
- Performing a risk assessment
- Disabling an employee's account
- Reviewing website logs
- Door locks
Reflection
- If you had $1 million to budget for all 4 control categories, how much would you spend on each category?
- Who is ultimately responsible for deciding if the controls are sufficient? The organization? The government? Customers?
- What controls do you have in place to protect your physical and digital well-being?
Key Terms
- Managerial Controls: Policies, procedures, and guidelines established by an organization's management to ensure the security and proper functioning of information systems. These controls focus on the administrative aspects of security, such as risk management, security planning, and compliance.
- Operational Controls: Day-to-day procedures and practices implemented to protect information systems and ensure their secure operation. These controls include activities such as user training, incident response, and regular system monitoring.
- Technical Controls: Security measures implemented through hardware and software to protect information systems. These controls include firewalls, encryption, access control mechanisms, and intrusion detection systems.
- Physical Controls: Security measures designed to protect the physical infrastructure of information systems. These controls include locks, security guards, surveillance cameras, and access control systems to prevent unauthorized physical access to facilities and equipment.
- Preventive Controls: Measures taken to prevent security incidents from occurring. These controls aim to stop threats before they can cause harm and include actions such as implementing strong authentication, using antivirus software, and conducting regular security training.
- Deterrent Controls: Measures designed to discourage potential attackers from attempting to breach security. These controls create an environment that makes it less attractive or more difficult for attackers to succeed, such as warning signs, legal penalties, and visible security measures.
- Detective Controls: Measures implemented to identify and detect security incidents as they occur. These controls help in recognizing and responding to threats in a timely manner and include tools such as intrusion detection systems, security audits, and log monitoring.
- Corrective Controls: Measures taken to correct and recover from security incidents. These controls aim to restore systems to their normal state and mitigate the impact of an incident, such as applying patches, restoring backups, and conducting post-incident analysis.
- Compensating Controls: Alternative measures implemented to provide security when primary controls are not feasible or effective. These controls offer a way to achieve the same security objectives through different means, such as using additional monitoring when strong authentication is not possible.
- Directive Controls: Measures designed to specify acceptable behavior and guide actions towards achieving security objectives. These controls include policies, procedures, and guidelines that direct how security should be implemented and maintained within an organization.