There are a number of Information Technology security controls. The three most common are: physical, technical, and administrative controls; however, many organizations break down administrative controls into two separate categories: procedural and legal controls. “Security controls are the means of enforcing security policies that reflect the organization’s business requirements, ” (Johnson). Security controls are implemented to guarantee the information security C-I-A triad. Furthermore, security controls fall into three types of control classifications, they are: preventive, detective and corrective. These classifications are used to specify when a security control applies. Physical Controls are exactly what they sound like, physical obstacles used to prevent or deter access to IS resources.
Physical controls can be barriers such as locked doors, requiring some sort of authentication/authorization command to enter, like a cipher lock or keycard. Biometric scanners are also excellent controls to identify and allow access to authorized personnel. Video cameras and closed-circuit television are also examples of physical controls. For organizations requiring extreme security measures, perimeter barriers such as walls or electric fences are used; additionally, security guards fall into the physical controls category. Technical Controls are logical and/or software related controls designed to restrict access to the network infrastructure, components, and data. Controls such as discretionary, mandatory access controls, rule- and role-based access controls, and passwords are all examples of technical controls.
Physical controls are used to prevent physical access to the physical components; whereas technical controls are implemented to prevent digital/logical access if physical access is achieved. Some physical hardware can also fall under the technical control category because they contain the software utilized to prevent or allow access to the network; components such as firewalls and routers are examples. Administrative Controls can best be described as the paper-based controls designed to inform personnel who can do what, when, where, why and how. As stated above the administrative controls are sometimes broken down into two separate categories, procedural controls and legal controls.
Procedural Controls are an organizations policies and procedures that all employees must follow for each specific circumstance for which they were written. Examples of these include: security awareness and training, incident response plans, and change controls. Some of these procedures will include step-by-step instructions that must be adhered to handle each topic; whereas others will be more general controls that may or may not relate to other policies. Legal Controls are controls that must be in place for organizations to operate. Compliance regulations/laws/standards fall into this category. Examples would include HIPAA and PCI DSS, GLBA, SOX, FERPA and CIPA. Administrative controls also protect the organization, by allowing to inform employees of the punitive measures that can/will happen for non-compliance violations, such as the Acceptable Use Policy.