Control Type

Examples

Physical

IT

Human

Avertive

• geographic dispersion
• warning signs
• door locks
• conspicuous security systems
• hard to steal
• security guards
• security walk-throughs
• Uninterruptible Power Supplies (UPS)
• use different means of travel when VIPs travel simultaneously
• establish alternate telecomm services (e.g. more than one ISP)
• physical separation (air gap)
• tamper evident seals

• employ concepts of least privilege, separation of duties, and essential capabilities
• logon warning banners
• honeypots, honey accounts, honey files, large useless files at tops of directory structure
• network segmentation
• 3-zone IT architecture
• isolate security functions from non-security functions
• maintain real-time network map
• heterogeneous IT components
• session termination
• VPNs

• acceptable use policy
• user training
• visitor log in
• healthcare plans
• good pay and quality benefits
• team building programs
• background checks
• notification trees
• track predicted natural disasters
• track supply chain ownership changes
• penetration testing
• rotate roles and responsibilities

Preventive

• door badges
• key codes
• separate keys for sensitive areas
• fire suppression

• DNS filtering
• file/folder permissions
• encryption
• strong passwords
• multifactor authentication
• patching
• input validation
• antimalware/EDR
• secure configuration
• data loss prevention (DLP)
• network access control (NAC)
• MAC filtering
• service disabling
• whitelisting
• sandbox or detonation chambers
• force re-authentication during sessions
• employ unified identity, credential and access management (ICAM)
• delete high-value data after it is processed
• replace unsupported components

• visitor escort
• wellness programs
• analyze privileges periodically
• two-person rule

Detective

• alarm systems
• camera systems
• physical access logs
• fire detection
• motion sensors
• security guards
• security walk-throughs
• tamper evident seals

• DNS monitoring/filtering
• audit trails
• intrusion detection systems (IDS)
• network traffic monitoring
• checksums
• input validation
• file/executable integrity checks
• honeypots, honey accounts, honey files, large useless files at tops of directory structure
• antimalware/EDR
• sandbox or detonation chambers
• malware beaconing detection
• hardware fault detection
• hardware power-on self-test

• users/staff will notice a problem
• visitor monitoring
• phishing simulation training
• social media and web page monitoring
• fraud monitoring
• insider threat monitoring
• open-source/dark-web scanning

Corrective

• organization can replace the device/system
• insurance
• outsourcing (e.g. snow removal for physical access denial)
• maintain alternate sites

• data backups (with protection)
• maintain baseline configurations
• redundant components/systems
• spares
• Uninterruptible Power Supplies (UPS)
• outsourcing to MSP
• dynamic reconfiguration (e.g. of access control lists)
• dynamic resource allocation (load balancing, emergency shutoff)
• adaptive management (automatic disabling of systems)
• malware reverse engineering
• backup DNS service

• maintenance and testing of Incident Response/Contingency plans
• backup restoration procedures
• alternate site planning
• cross training
• social media correction policy
• termination procedures