Security Controls

Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks relating to personal property, or computer software

To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:

• Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders;
• During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police;
• After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible.

(Some security professionals would add further categories such as deterrent controls and compensation. Others argue that these are subsidiary categories. This is simply a matter of semantics.)

Security controls can also be categorized according to their nature, for example:

• Physical controls e.g. fences, doors, locks and fire extinguishers;
• Procedural controls e.g. incident response processes, management oversight, security awareness and training;
• Technical controls e.g. user authentication (login) and logical access controls, antivirus software, firewalls;
• Legal and regulatory or compliance controls e.g. privacy laws, policies and clauses.

A similar categorization distinguishes control involving people, technology and operations/processes.

Information security controls protect the confidentiality, integrity and/or availability of information (the so-called CIA Triad). Again, some would add further categories such as non-repudiation and accountability, depending on how narrowly or broadly the CIA Triad is defined.

Risk-aware organizations may choose proactively to specify, design, implement, operate and maintain their security controls, usually by assessing the risks and implementing a comprehensive security management framework such as ISO/IEC 27002, the Information Security Forum's Standard of Good Practice for Information Security and NIST SP 800-53 (more below). Organizations may also opt to demonstrate the adequacy of their information security controls by being independently assessed against certification standards such as ISO/IEC 27001.

In telecommunications, security controls are defined as Security services as part of OSI Reference model by ITU-T X.800 Recommendation. X.800 and ISO ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture are technically aligned.