TYPES OF CONTROL

Types of Control

·???????? Administrative Control:

·? (1)Administrative controls, also known as management controls, are measures taken to manage and oversee security policies, procedures, and practices within an organization. These controls are designed to ensure that security policies and procedures are properly implemented, maintained, and enforced.(2)Administrative controls are essential for establishing the framework and structure of a comprehensive security program.

·?????? EXAMPLES:??????????????????????????????????????????????????????????????????????????????? ?????????????????

Security policies: Documents that outline the organization's security objectives, responsibilities, and overall security posture.Incident response plans: Plans and procedures for responding to and containing security incidents.

Training and awareness programs: Programs designed to educate employees on security policies, procedures, and best practices.

Personnel security: Measures taken to ensure that employees are properly screened, trained, and supervised.

Compliance and regulatory requirements: Measures taken to ensure compliance with relevant laws, regulations, and industry standards.

·???????? Technical Control:

·? (1)Technical controls, also known as logical controls, are measures taken to protect digital assets and data from unauthorized access, use, disclosure, modification, or destruction. These controls are designed to prevent, detect, and respond to security incidents.(2)Implementing technical controls ensures the security and integrity of information systems and data.

·?????? EXAMPLES:??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ?

Firewalls: Network devices that control incoming and outgoing network traffic based on predetermined security rules.

Intrusion detection systems: Systems that monitor network traffic for signs of unauthorized access or malicious activity.

Encryption: Techniques used to protect data from unauthorized access or disclosure.Access controls: Measures taken to control access to digital assets and data, such as passwords, biometrics, and multi-factor authentication.

Antivirus software: Software designed to detect and prevent malware infections.

·???????? Physical Control:

·? Physical controls are measures taken to protect physical assets and facilities from unauthorized access, use, or damage. These controls are designed to prevent, detect, and respond to security incidents.

·?????? EXAMPLES:?????????????????????????????????????????????????????? ????????????????????????????????????????????????????????????????????????????????????????????????????

Locks and access controls: Measures taken to control access to physical facilities, such as doors, gates, and fences.

Surveillance cameras: Cameras used to monitor physical facilities and detect unauthorized access or activity.

Alarm systems: Systems that detect and alert personnel to unauthorized access or activity.Secure storage: Measures taken to protect physical assets, such as data storage devices, from unauthorized access or damage.

Environmental controls: Measures taken to protect physical assets from environmental hazards, such as fire, water, and extreme temperatures.

Administrative, Preventive and Technical controls are further divided into following category:

Preventive Control:

·? (1)This control focuses on preventing problems before they occur. This is done by identifying potential sources of errors and taking steps to eliminate or reduce them. (2)It help to reduce waste, improve efficiency, and increase customer satisfaction.(3)Preventive controls focus on preventing security breach,preventing security incidents and attacks from occurring.Preventive controls aim to reduce the likelihood of security incidents by implementing proactive measures.?(4)When a preventive control is implemented, an intruder is prevented from performing an act. They do not have a choice in whether or not to perform the act.(5)Implementing preventive controls helps minimize risks and vulnerabilities in an organization's security posture.

·?????? EXAMPLES:

security training, access controls, and security awareness? programs,IPS, Firewall, MFA,Antivirus Hiring and Termination Policy, Separation oif duties, Data classification,Locks, Gates, Fences

?????? Detective Control:

·? (1)It used to detect errors or irregularities after the incident. Detective controls are typically used after transactions have occurred and can take the form of audits, reviews, or exception reports. (2)Detective controls are important because they can help to prevent errors and fraud from occurring. (3)They can also help organizations to identify potential problems so that corrective action can be taken.(4)Detective controls provide organizations with the ability to detect and respond to security incidents promptly.

·?????? EXAMPLES:

Log monitoring, IDS, Honeypots, internal/external auditing, IDS, Honeypots, Job Rotation, Review access rights, Review of Logs , Error messages over tape labels,Variance analysis,Quality assurance,System Monitoring tools,

·???????? Corrective Control:

·? (1)it is used to fix problems that have already occurred. It is usually implemented after an issue has been identified, and its purpose is to prevent the problem from happening again in the future.(2)Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring a business to normal operations.

·?????? EXAMPLES:

Reissue Access Cards,patching a system, rebooting device, quarantine virus,Detecting malware

·???????? Deteerent Controls

·? The purpose of a deterrent control is to give a warning signal to deter a threat event.When a deterrent control is implemented, the intruder is being given a warning. Here, the intruder has a choice: either to act as per the warning or ignore the warning.

·?????? EXAMPLES:

CCTV cameras or "under surveillance" signs, Warning Signs

·???????? Directive Controls

·? Provides guidance and instructions on how to operate securely within an organization. It is an essential aspect of IT security, as it ensures that employees and systems operate in a way that minimizes the risk of security breaches.

·?????? EXAMPLES:

Security Policies: These are high-level documents that outline the organization's security objectives, responsibilities, and overall security posture.

Procedures: These are step-by-step instructions that outline how to perform specific security-related tasks, such as incident response or vulnerability management.

Standards: These are mandatory requirements that outline specific security controls or configurations, such as password policies or firewall configurations.

Guidelines: These are recommended practices that provide guidance on how to implement specific security controls or configurations.

·???????? Compensating Control

·? (1)Compensating controls are alternate measures that are employed to ensure that weaknesses in a system are not exploited. In many cases, a strong control in one area can compensate for a weakness in another area. (2)Compensating controls are alternative measures implemented when primary controls cannot be met.(3)Compensating controls ensure that the overall security objectives are still achieved despite limitations in primary controls.(3)Implementing compensating controls helps maintain an acceptable level of security when primary controls are not feasible.

·?????? EXAMPLES:

Endpoint Management, System Hardening, Network Segmentation

·???????? Recovery Controls

·? Recovery controls are a type of security control that focuses on restoring systems, data, and operations after a security incident or disaster.

·?????? EXAMPLES:

Business continuity planning, Disaster recovery planning ,Incident response planning, Backup procedures plan,system Restoration plan

·??

·????????