Security Controls.

Security controls are the building blocks of a security program. They are the tools that you implement to protect the confidentiality, integrity, and availability of important assets and data. Much of the assessment work that an auditor conducts is around the many controls that a company has (or doesn't have) to reduce risk. Auditors are concerned with how well the controls accomplish the goals set forth by the security policy.

Controls are typically thought of in terms of technology. Firewalls or IPS systems come to mind, but there are many types of controls that can be used to protect your systems. The primary classification of controls can be accomplished by grouping them under three main categories: administrative, technical, and physical.

Administrative Controls
Administrative controls can consist of policies, like Acceptable use or security awareness training. Additionally, administrative controls can also consist of processes like balancing the corporate books, and security auditing. This type of control is typically focused on managing people, like separation of duties, requiring vacation or any other rules that provide a deterrent to fraud or improper behavior.

Technical Controls
Technical controls consist of the technology that you implement to prevent or enforce behavior on the network or computing resources. They can include Firewalls, IPS, HIPS, Role Based Access control, or any other mechanism of enforcing policy.

Physical Controls
If you want to deter people from walking through your yard, put a fence up. While this won't keep everyone out it is an example of a useful physical control. In an office setting, physical controls include locked doors, key card access systems, video surveillance, guards, gates, and so on. This type of control is designed to restrict access to sensitive devices and areas.

Each of the primary control groups can be further broken out into specific types of actions the control can take. While there are others, the standard set includes preventive, detective, corrective, and recovery.

Preventative
A Preventative controls purpose is to enforce the confidentiality, integrity, and availability of data and assets. If the primary control is Technical, then preventive controls will be firewall rules, ACLs, or other technology used to block unauthorized access. Administrative preventative controls can include things like policies and warning banners. The primary category of controls (administrative, technical, and physical) gives context to how to implement the secondary controls.

Detective
Detective controls are the alarm systems built into various parts of the business to detect if bad things are happening. These could be video surveillance, firewall logs, an intrusion prevention system, or Cisco MARS. This type of control also includes financial and security audits.

Corrective
Corrective controls are reactionary in nature. If you detect a malicious packet on the network, and your IPS is configured to drop the packet and also block the source, then this is an example of a corrective control. Patch management is another example of correcting a vulnerability and would fall under this control type.

Recovery
Recovery controls are like parachutes on a plane. Hopefully you won't need then, but they are there if you do. Backup systems, redundant power supplies, and spare parts are all examples of recovery controls. Restoring services is the goal of these controls.