CompTIA Security SY0-601 Exam: Control Types

Objective: Compare and contrast various types of controls.

Topics:
- managerial control
- operational control
- technical control
- preventive control
- detective control
- corrective control
- deterrent control
- compensating control
- physical control
To compare controls, it is helpful to understand the general taxonomy of controls. A control is simply a defense or countermeasure put in place to manage risk. If a risk cannot be completely avoided or transferred, but the organization is not willing to completely accept the risk, the most appropriate action is to mitigate the risk. Controls can be classified in several ways, and some controls can apply across various types. At a high level, controls are classified as technical, management, or operational. Controls can be further classified by their functional use or according to the time period during which they are acted upon. For example, functionally, they can be classified as deterrent, preventive, detective, or corrective controls.

Nature of Controls
You can apply three general classifications of controls to mitigate risks, typically by layering defensive controls to protect data with multiple control types. This technique is called a layered defensive strategy, or defense in depth. These are the three types of controls:
- Technical: Technical controls are security controls that are executed by technical systems. Technical controls include logical access control systems, security systems, encryption, and data classification solutions.
- Managerial: Managerial controls (or administrative controls) include business and organizational processes and procedures, such as security policies and procedures, personnel background checks, security awareness training, and formal change-management procedures. They are usually controlled by and promulgated with people.
- Operational: Operational controls include organizational culture and physical controls that form the outer line of defense against direct access to data, such as protecting backup media; securing output and mobile file storage devices; and paying attention to facility design details, including layout, doors, guards, locks, and surveillance systems.

Functional Use of Controls
The categories of controls just described can be further classified by their functional use or based on the time when they are in use. The following sections describe these controls and provide examples of each of them:
- Deterrent
- Preventive
- Detective
- Corrective
Consider the importance of having both detection controls and prevention controls. In a perfect world, we would need only prevention controls. Unfortunately, not all malicious activity can be prevented. As a result, it is important to make detection controls part of a layered security approach. For example, the best-protected banks use both detective controls and preventive controls. In addition to the locks, bars, and security signs, the bank probably has various detective controls, such as motion detectors and cash register audits.
Controls work together as a security system and provide layered defense mechanisms for defense in depth.

Deterrent Controls
Deterrent controls are intended to discourage individuals from intentionally violating information security policies or procedures. Deterrents do not necessarily have to be designed to stop unauthorized access. As the name implies, these controls need to help deter access. They usually take the form of a punishment or consequence that makes performing unauthorized activities undesirable. Deterrence involves detecting violations that are attached to some form of punishment that the intruder fears. Examples of deterrent controls are warnings indicating that systems are being monitored. Perhaps you have seen or know someone who has a “Beware of Dog” sign but doesn’t actually have a dog.

Preventive Controls
Preventive controls attempt to prevent unwanted events by inhibiting the free use of computing resources. Preventive controls are often hard for users to accept because they restrict free use of resources. Examples of preventive administrative controls include security awareness, separation of duties, access control, security policies and procedures, intrusion prevention systems, firewalls, and anti-malware.

Detective Controls
Detective controls attempt to identify unwanted events after they have occurred. Common technical detective controls include audit trails, intrusion detection systems, system monitoring, checksums, and anti-malware. Common physical detective controls include motion detectors, CCTV monitors, and alarms. Administrative detective controls are used to determine compliance with security policies and procedures. They can include security reviews and audits, mandatory vacations, and rotation of duties.

Corrective Controls
Corrective controls are reactive and provide measures to reduce harmful effects or restore the system that is being affected. Examples of corrective controls include operating system upgrades, data backup restoration, vulnerability mitigation, and anti-malware.
Did you notice that anti-malware is listed as an example for all three types of controls? Anti-malware is preventive because it can block certain potentially dangerous file types from being downloaded. It is detective because it can identify and alert administrators when a file is infected with malware. Finally, it is corrective because it can quarantine or fix infected files.
Some controls can be multiple types. A visible camera, for example, serves as a detective control (if actively monitored) and also as a deterrent to a would-be attacker, which makes it preventive as well. Without active monitoring by a security guard, however, cameras are likely useful only for later analysis to identify the actor and means following an incident. Security guards, on the other hand, easily serve as both preventive and detective controls. In addition, a security guard can be a corrective control by initiating an immediate response to an incident and potentially alerting others about the identified threat.

Compensating Controls
Compensating controls are alternative controls that are intended to reduce the risk of an existing or potential control weakness. Compensating controls are not a shortcut to compliance or security. They come into play when a business or technological constraint exists and an effective alternate control is used in the current security threat landscape. For example, if separation of duties is required but duties cannot be separated because of company size, compensating controls should be in place. These can include audit trails and transaction logs that someone in a higher position reviews.
We need look no further than our daily lives to find examples and analogies of the various types of controls and compensating controls we encounter every day. In your digital life, you might have met someone who doesn’t want to incur the cost (monetary and perceived technical) of running anti-malware software. That person might compensate, for example, by being extra careful and navigating to only well-known, trusted websites. Or consider parents traveling with a baby but without the normal control of a crib’s high rails. Perhaps you can already see the compensating control of the child sleeping in between the parents in bed or among pillows on the floor.

In another practical example, consider that most organizations have well-defined standards for controls that are commensurate with the risk. One such standard might require third-party web-based applications to enforce at least 12-character alphanumeric passwords. If the vendor does not support this, of course, an organization can try to demand it, but until it is a real possibility, the organization can decide not to use that vendor or perhaps consider a temporary measure, such as detailed logging and monitoring of session events or frequent password changes.

Quiz questions:

1. Which of the following are functional control types? (Select three.) A. Deterrent B. Preventive C. Compensating D. Detective

2. A recent audit revealed that most of the organization is not properly handling sensitive data correctly. To address this shortcoming, your organization is implementing computer security awareness training. What type of control is this? A. Logical B. Administrative C. Detective D. Physical

Answer 1: A, B, and D. Functional controls can be deterrent, preventive, detective, and corrective controls. Compensating controls are alternative controls put in place to reduce the risk of an existing or potential control weakness. Thus, answer C is incorrect.
Answer 2: B. This is an example of a managerial or administrative control. Answers A, C, and D are incorrect. While technical controls such as data classification systems and DLP can help address this situation, security awareness training is not of a technical or logical nature. Awareness training can serve a functional use (for example, deterrent, preventive, detective, or corrective), but given the situation, this was not a detective functional control.