3 Understanding Security Controls

 

This chapter covers

  • Categories of security controls
  • Types of security controls
  • Combining security controls to create defense in depth

Organizations implement security controls to reduce risk to an acceptable level. As discussed in the previous chapter, the specific security controls that apply to an asset depend on its nature. For example, corporate laptops require strong passwords, while a public Web site requires a firewall to block external threats. These controls—passwords and firewalls—are different, yet appropriate for the assets they protect. In addition to the characteristics of the asset, factors such as the value of the asset, its vulnerabilities, and the overall likelihood of risk must be considered.

Implementing security controls can be costly and disruptive to business operations. When selecting security controls, a balance should be sought between the expected risk and the cost of implementation. As organizations operate under budget constraints, it is critical to select the most effective security controls. In addition, these controls must be implemented in a way that supports, rather than hinders, the organization's business operations.

3.1 Understanding Security Controls

3.1.1 Categories of Security Controls

3.1.2 Physical Controls

3.1.3 Technical Controls

3.1.4 Administrative Controls

3.1.5 Types of Security Controls

3.1.6 Full overview of Security Controls Functions

3.2 Summary