SHREE LEARNING ACADEMY

Security Controls | CompTIA Security+ 701

In the vast digital landscape and physical world, security risks loom large. Whether it's sensitive data, physical property, or computer systems, numerous assets are at stake. To fortify against potential threats, we rely on a comprehensive set of security controls. These controls are designed to prevent security events, minimize their impact, and limit the resulting damage.

The Diverse World of Security Controls

Security controls come in various forms, tailored to address specific aspects of potential vulnerabilities. They act as the first line of defense in a world filled with cyber threats and physical risks. Let us see the categories of these security controls.

Technical Controls: Defending in the Digital Realm

Implementation through Systems: Technical controls are executed through systems, leveraging the capabilities of technology to bolster security. Examples include operating system controls, which regulate user access and permissions, and firewalls that monitor and control network traffic. Anti-virus software is another crucial technical control, protecting systems from malicious software.

Example: Imagine your computer as a fortress. The operating system acts as the gatekeeper, allowing or denying access to different users. A firewall is like the protective barrier around the fortress, keeping out unwanted visitors, while anti-virus software acts as vigilant guards scanning for potential threats.

Managerial Controls: Orchestrating Security Design

Administrative Oversight: Managerial controls focus on the administrative aspects of security design and implementation. They include security policies that set the guidelines for acceptable behavior and standard operating procedures outlining specific security protocols.

Example: Think of managerial controls as the rules and guidelines that govern the behavior of people within a community. Just like a town has rules to maintain order, organizations have security policies to ensure everyone understands and follows the prescribed security measures.

Operational Controls: Human-Centric Safeguards

People-Powered Security: Operational controls rely on human intervention to implement security measures. This includes security guards who physically monitor and protect premises and awareness programs designed to educate individuals about potential risks and the best practices to mitigate them.

Example: Operational controls are akin to having security personnel patrolling the streets of a neighborhood. They serve as the eyes and ears on the ground, actively deterring and responding to security threats.

Physical Controls: Securing the Tangible

Tangible Safeguards: Physical controls limit physical access to assets. This includes measures such as guard shacks, fences, locks, and badge readers. These controls are essential for protecting physical spaces and ensuring only authorized individuals can enter.

Example: Picture a high-security facility surrounded by fences and guarded by security personnel. Access is granted only through badge readers, ensuring that only authorized individuals can enter the premises.

Preventive Security Controls: Blocking the Path

Preventive security controls are the first line of defense, aiming to block unauthorized access and thwart potential security breaches. Think of them as the gatekeepers that stand firm against any attempts to compromise the system.

Examples of Preventive Controls:

  1. Firewall Rules: Imagine a firewall as a virtual security guard that inspects incoming and outgoing network traffic. It establishes a barrier between a trusted internal network and untrusted external networks, preventing unauthorized access and potential threats.
  2. Security Policies: Organizations create comprehensive security policies that outline acceptable use of resources, password requirements, and other guidelines. Adhering to these policies ensures that users operate within predefined boundaries, enhancing overall system security.
  3. Physical Access Controls: Guard shacks at the entrance of a facility or enabling door locks are tangible examples of preventive controls. These measures restrict physical access, ensuring that only authorized individuals can enter designated areas.

Deterrent Security Controls: Making Intruders Think Twice

Deterrent controls focus on discouraging potential intruders, even though they may not directly prevent access. Their goal is to create an environment that discourages malicious actors from attempting unauthorized activities.

Examples of Deterrent Controls:

  1. Application Splash Screens: A splash screen that warns users about the consequences of unauthorized access serves as a deterrent. It acts as a visual cue, making individuals think twice before proceeding.
  2. Threat of Demotion: In a corporate setting, the threat of demotion for security violations can deter employees from engaging in activities that might compromise the organization's security.
  3. Warning Signs: Posting warning signs in sensitive areas, such as server rooms or restricted zones, communicates the consequences of unauthorized entry and discourages individuals from attempting to breach security.

Corrective Security Controls: Rectifying After Detection

Corrective controls come into play after an event has been detected, aiming to reverse the impact of the incident and ensure the organization can continue its operations with minimal downtime.

Examples of Corrective Controls:

  1. Restoring from Backups: In the case of a ransomware infection, organizations can use corrective controls by restoring systems from backups. This mitigates the impact of the attack and allows the organization to resume normal operations.
  2. Security Issue Reporting Policies: Creating policies that mandate the reporting of security issues is a corrective measure. This enables a swift response to incidents, ensuring that appropriate actions are taken to address and rectify the problem.
  3. Engaging Law Enforcement: Corrective actions may involve collaborating with law enforcement to manage criminal activity. This can include investigations, legal proceedings, and other measures to address security breaches.

Compensating Security Controls: Filling the Gaps

Compensating controls come into play when existing controls are deemed insufficient. They act as supplementary measures to prevent the exploitation of weaknesses and provide an alternative layer of protection.

Examples of Compensating Controls:

  1. Firewall Blocking Specific Applications: Instead of patching a vulnerable application, a firewall can be configured to block that specific application. This compensating control helps mitigate the risk until a permanent solution is implemented.
  2. Separation of Duties: Implementing a separation of duties is a compensating control that prevents a single individual from having excessive control over a process or system. This minimizes the risk of unauthorized activities.
  3. Emergency Power Generators: When faced with a power outage, organizations may use generators as compensating controls to ensure critical systems remain operational until regular power is restored.

Directive Security Controls: Guiding Towards Compliance

Directive controls direct individuals and systems toward security compliance by providing guidelines, instructions, and policies. While relatively weak compared to other controls, they play a crucial role in shaping behavior and promoting security awareness.

Examples of Directive Controls:

  1. Protected Folder Usage: Directing users to store sensitive files in a protected folder is a directive control. This guides behavior by promoting a secure approach to handling confidential information.
  2. Compliance Policies and Procedures: Establishing compliance policies and procedures provides a framework for employees to follow, ensuring consistency in security practices across the organization.
  3. Security Training: Training users on proper security policies is a directive control that enhances awareness and educates individuals on best practices to mitigate security risks.

In conclusion, the world of security controls is diverse and dynamic, requiring a strategic and adaptable approach to safeguarding valuable assets. By understanding the degree of preventive, deterrent, corrective, compensating, and directive controls, organizations can build a comprehensive security framework that effectively mitigates risks and promotes a secure operational environment. Remember, security is a continuous journey, not a destination. Stay vigilant, adapt to changes, and always prioritize the protection of your digital and physical assets.

Test Yourself
Take Free Quiz
Watch our Video Tutorial
Watch Video Tutorial