Security Laboratory

Security Laboratory

Security Controls

By Stephen Northcutt
Version 1.2

Security controls are technical or administrative safeguards or counter measures to avoid, counteract or minimize loss or unavailability due to threats acting on their matching vulnerability, i.e., security risk. Controls are referenced all the time in security, but they are rarely defined. The purpose of this section is to define technical, administrative/personnel, preventative, detective, and corrective compensating controls, as well as general controls.

According to the GAO, "The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the entity’s people; management’s philosophy and operating style; and the way management assigns authority and organizes and develops its people."[1]

From this we can derive that some controls are the actions that people take, we call these administrative controls. Administrative controls are the process of developing and ensuring compliance with policy and procedures. They tend to be things that employees may do, or must always do, or cannot do. Another class of controls in security that are carried out or managed by computer systems, these are technical controls.

Activity phase controls can be either technical or administrative and are classified as follows:
• Preventative controls exist to prevent the threat from coming in contact with the weakness.
• Detective controls exist to identify that the threat has landed in our systems.
• Corrective controls exist to mitigate or lessen the effects of the threat being manifested.

These correspond to the life cycle phases of a security program. Firewalls are primarily preventative controls. IPS could be configured to be both preventative and detective. IDS is purely detective. Reloading an operating system suspected of having malware from the gold standard is a corrective control. These are all examples of technical controls. Forensics and incident response are examples administrative or personnel corrective controls.

Compensating controls are alternate controls designed to accomplish the intent of the original controls as closely as possible, when the originally designed controls can not be used due to limitations of the environment. These are generally required when our activity phase controls are not available or when they fail. According to Element Payment Services, "Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement through implementation of other controls."[2]





Security Awareness Training

System Monitoring

OS Upgrade

Backup Generator



Backup Data Restoral

Hot Site




Server Isolation

Security Guard

Motion Detector

Vulnerability Mitigation



Table 1 Illustration of phase controls [3]

There is also probably a near infinite number of functional control categories. NIST lists 18. Many security experts feel the phase controls (protective, detective, reactive) make more sense in the real world. NIST lists the three primary categories as Administrative, Technical and Physical:

Administrative Technical Physical
- Preventive - Preventive - Preventive
- Detective - Detective - Detective
- Corrective - Corrective - Corrective
Table 2: Illustration of mapping NIST controls to phase controls.[4]

We are not going to make an attempt to list all of the functional controls, but a few are listed for consideration:
  • The management framework. Entity Wide security program planning and management that provides a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of the entity’s computer-related controls

  • Physical controls include locks, fences, mantraps and even geographic specific controls.

  • Access controls that limit or detect access to computer resources (data, programs, equipment, and facilities), thereby protecting these resources against unauthorized modification, loss, and disclosure.

  • Application software development and change controls that prevent unauthorized programs or modifications to an existing program from being implemented.

  • System software controls that limit and monitor access to the powerful programs and sensitive files that (1) control the computer hardware and (2) secure applications supported by the system.

  • Segregation of duties that are policies, procedures, and an organizational structure established so that one individual cannot control key aspects of computer-related operations and thereby conduct unauthorized actions or gain unauthorized access to assets or records.

  • Service continuity controls to ensure that when unexpected events occur, critical operations continue without interruption.

References: Links valid as of September 1, 2009
3 Email from Darlene Pitts 9/1/09
4 Email from Bob Johnson 9/1/09