Control Types

Relationships between control types:

A graphic depicting the relationships between cybersecurity control types
A graphic depicting the relationships between cybersecurity control types

Examples of each control type:

 

Control Type

Examples

Physical

IT

Human

Avertive

  • geographic dispersion
  • warning signs
  • door locks
  • conspicuous security systems
  • hard to steal
  • security guards
  • security walk-throughs
  • Uninterruptible Power Supplies (UPS)
  • use different means of travel when VIPs travel simultaneously
  • establish alternate telecomm services (e.g. more than one ISP)
  • physical separation (air gap)
  • tamper evident seals
  • employ concepts of least privilege, separation of duties, and essential capabilities
  • logon warning banners
  • honeypots, honey accounts, honey files, large useless files at tops of directory structure
  • network segmentation
  • 3-zone IT architecture
  • isolate security functions from non-security functions
  • maintain real-time network map
  • heterogeneous IT components
  • session termination
  • VPNs
  • acceptable use policy
  • user training
  • visitor log in
  • healthcare plans
  • good pay and quality benefits
  • team building programs
  • background checks
  • notification trees
  • track predicted natural disasters
  • track supply chain ownership changes
  • penetration testing
  • rotate roles and responsibilities

Preventive

  • door badges
  • key codes
  • separate keys for sensitive areas
  • fire suppression
  • DNS filtering
  • file/folder permissions
  • encryption
  • strong passwords
  • multifactor authentication
  • patching
  • input validation
  • antimalware/EDR
  • secure configuration
  • data loss prevention (DLP)
  • network access control (NAC)
  • MAC filtering
  • service disabling
  • whitelisting
  • sandbox or detonation chambers
  • force re-authentication during sessions
  • employ unified identity, credential and access management (ICAM)
  • delete high-value data after it is processed
  • replace unsupported components
  • visitor escort
  • wellness programs
  • analyze privileges periodically
  • two-person rule

Detective

  • alarm systems
  • camera systems
  • physical access logs
  • fire detection
  • motion sensors
  • security guards
  • security walk-throughs
  • tamper evident seals
  • DNS monitoring/filtering
  • audit trails
  • intrusion detection systems (IDS)
  • network traffic monitoring
  • checksums
  • input validation
  • file/executable integrity checks
  • honeypots, honey accounts, honey files, large useless files at tops of directory structure
  • antimalware/EDR
  • sandbox or detonation chambers
  • malware beaconing detection
  • hardware fault detection
  • hardware power-on self-test
  • users/staff will notice a problem
  • visitor monitoring
  • phishing simulation training
  • social media and web page monitoring
  • fraud monitoring
  • insider threat monitoring
  • open-source/dark-web scanning

Corrective

  • organization can replace the device/system
  • insurance
  • outsourcing (e.g. snow removal for physical access denial)
  • maintain alternate sites
  • data backups (with protection)
  • maintain baseline configurations
  • redundant components/systems
  • spares
  • Uninterruptible Power Supplies (UPS)
  • outsourcing to MSP
  • dynamic reconfiguration (e.g. of access control lists)
  • dynamic resource allocation (load balancing, emergency shutoff)
  • adaptive management (automatic disabling of systems)
  • malware reverse engineering
  • backup DNS service
  • maintenance and testing of Incident Response/Contingency plans
  • backup restoration procedures
  • alternate site planning
  • cross training
  • social media correction policy
  • termination procedures