Systems and Security : Governance, Risk, and Compliance

Compare various types of controls

I. Category - Managerial - Operational - Technical
II. Control type - Preventive - Detective - Corrective - Deterrent - Compensating - Physical

I. Category of Controls:

1. Managerial Controls: These are the top-level policies and procedures that govern an organization's overall approach to security. They provide guidance and direction to all levels of the organization and are often implemented through senior management or a board of directors. Examples include security policies, risk assessments, and incident response plans.

2. Operational Controls: These controls are designed to manage day-to-day security operations. They include procedures for performing specific tasks, such as monitoring for security events, performing security audits, and managing access to systems and data. Examples include security event monitoring and response procedures, access control policies, and backup and recovery procedures.

3. Technical Controls: These controls are the specific tools and technologies used to implement security. They include firewalls, intrusion detection systems, antivirus software, and encryption. Technical controls are often the first line of defense against threats and are used to enforce security policies and procedures.

II. Control Type:

1. Preventive Controls: These controls are designed to prevent security incidents from occurring. They include access controls, encryption, firewalls, and security policies.

2. Detective Controls: These controls are designed to detect security incidents after they have occurred. They include intrusion detection systems, security information and event management (SIEM) systems, and security audits.

3. Corrective Controls: These controls are designed to correct problems after they have been identified. They include incident response plans, data backup and recovery procedures, and patches and software updates.

4. Deterrent Controls: These controls are designed to discourage individuals from attempting security incidents. They include security awareness training, background checks, and penalties for security violations.

5. Compensating Controls: These controls are used when preventive or detective controls are not feasible. They include workarounds or alternative solutions that provide an equivalent level of security.

6. Physical Controls: These controls are designed to secure physical access to systems and data. They include locks, security cameras, and security guards.