A security control is a safeguard or countermeasure that minimizes the risks to your business. They can be something physical like a lock on a door, technical like a computer firewall or it can be administrative, such as company policy. It’s important for business owners to understand the different options they have for security controls for a couple of reasons. Firstly, many regulations like HIPAA, GDPR or PCI-DSS require that companies have security controls for different information systems within the company. Failure to do so can result in heavy fines, damaged reputations and jail time for company executives. Secondly, it’s an important part of your overall security strategy. Understanding the different types of security controls and what they do for you helps you to ensure that you are covered in all areas.
Physical Controls: This includes all tangible/physical devices that are used to prevent or detect unauthorized access to company assets. This means things such as fences, surveillance cameras, guard dogs and physical locks and doors.
Technical Controls: This includes hardware and software mechanisms that are used to protect assets from non tangible threats. This includes things like encryption, firewalls, antivirus software and intrusion detection systems(IDS).
Administrative Controls: This refers to the policies, procedures and guidelines that outline company practices in accordance with security objectives. Some common examples of this will be employee hiring and termination procedures, equipment and internet usage, physical access to facilities and separation of duties.
Types of Controls
A preventative security control is what you use to prevent a malicious action from happening. This will typically be the first type of control you want and when working correctly provides the most effective overall protection. Some examples of this includes:
Computer Firewalls(Technical): A firewall is a hardware or software device that filters computer traffic and prevents unauthorized access to your computer systems.
Antivirus(Technical): This is a software program that prevents, detects and removes malware from computer systems.
Security Guards(Physical): Security guards are typically assigned to an area and they are responsible for ensuring that people do not go into a restricted area unless they can prove they have a right to be there.
Locks(Physical): This refers to any physical lock on a door that prevents people from entering without having the proper key.
Hiring and Termination Policies(administrative): During the hiring process, things like background checks help to prevent people that have a history of bad behaviour (eg sexual violence) from coming into the company. Termination policies allow for managers to get rid of people that are causing problems for the company.
Separation of Duties(administrative): Separation of Duties means requiring more than one person to complete any task. It prevents people from committing fraud because every process requires multiple people and any individuals trying to commit fraud would be noticeable to the other people responsible for carrying out the process.
Detective controls are meant to find any malicious activities in your environment that got past the preventative measures. Realistically, you’re not going to stop all of the attacks against your company before they happen, so you need to have a way to find out when something has failed and then you can go correct it. Some examples include:
Intrusions Detection Systems(Technical): Intrusion detection systems monitor a company’s network for any signs of malicious activities and send you alerts whenever an abnormal activity is found.
Logs and Audit Trails(Technical): Logs and audit trails are essentially records of activity on a network or computer system, by reviewing these logs you can find out if malicious activity happened on the computer or network.
Video Surveillance(Physical): This means having cameras setup in important areas of the company and having people monitor those feeds to see if anyone that isn’t supposed to be there was able to get access.
Enforcing Staff Vacations(Administrative): Enforced vacations help to detect fraud by forcing individuals to leave their work and have someone else pick up that process. If someone has been doing fraudulent activity it will be apparent to the new person that is performing that task.
Review Access Rights(Administrative): By reviewing individual’s access rights, you can see who has access to resources that they shouldn’t and you can review who has been accessing those resources.
These attempt to discourage people from doing activities that will be harmful to your company. This way you have less actual threats to deal with, usually this is done by making it harder to perform the action or making the consequences for getting caught well known. Some examples include:
Guard Dogs(Physical): Having guard dogs can be intimidating to potential trespassers and helps to deter people.
Warning signs (Physical): By advertising that your property is under video surveillance and has security alarms, it can deter people from trying to break in.
Pop up messages(Technical): Having messages displayed on users computers or corporate homepages warning people of certain behaviours. (eg. no watching porn on a company laptop)
Firewalls(Technical): You may have experienced when you try to browse certain sites on a corporate laptop you get blocked and a warning message that certain sites are not permitted on the laptop. These messages help to deter people from trying to browse certain sites on company laptops.
Advertise Monitoring(Administrative): Many companies make it known that admin account activities are logged and reviewed, this helps to deter people from using those accounts to do bad things.
Employee onboarding(Administrative): During onboarding you can highlight the penalties for misconduct in the workplace and this helps to deter employees from engaging in bad behaviour.
These controls try to get your systems back to a normal state following a security incident. Some examples include:
Re issue access cards(Physical): In the event of a lost or stolen access card, they need to be deactivated and a new access card issued.
Repair Physical Damage (Physical): In the event of a damaged door, fence or lock you need to have a process for getting it repaired quickly.
System and Data Backups(Technical): You should be doing regular backups of important information and have a process in place for quickly restoring to a last known good backup, in the event of a security incident.
Patching(Technical): In the event of new vulnerability coming out that puts your company in an at risk state, you should be sure to have a process for quickly getting a patch pushed out and returning to a “secure state”.
Disaster Recovery Plan(Administrative): This is a plan that outlines how to get back to a normal state of operations following a natural or human made disaster.
Incident Response Plan(Administrative): An incident response plan outlines the steps you can take to go back to normal business operations following a cybersecurity breach.
In order to make sure you are compliant with information security regulations and to make sure you are well protected against potential risks you want to make sure you have security controls from each of these areas. You want to deter people from stealing from your company, you want controls to prevent people from getting your companies information, you need to be able to detect when someone has successfully breached your organization and lastly you need to be able to recover from an attack and get back to normal business operations with minimal effort.