Security Controls

To make sure we’re all on the same page about the types of controls that Security GRC functions are concerned about, it's necessary to have a brief discussion about the security controls themselves.

From other learning that you may have already done, you likely understand that security or cybersecurity is focused on protecting the Confidentiality, Integrity, or Availability of systems and information/data. The way security professionals accomplish that goal is by implementing various security controls, and typically, those security controls can be categorized in 1 of 3 ways:

1. Detective
2. Preventive
3. Reactive.

• Preventive controls are those designed to stop malicious behavior in its tracks--- prevent it from occurring. These are firewalls, web-application firewalls, anti-virus solutions, and etc.

• Detective controls are designed to detect malicious behavior allowing security professionals to respond in some way. These are controls like network or host-based intrusion detection systems or user behavior analytics platforms.

• Reactive controls are designed to enable security personnel to react to potential security events once detected.

Occasionally security professionals will describe what are called policy controls meaning controls that are policy or procedure-based and not technological controls, but we will talk about policy and procedure as if they are a part of preventive controls. Policies and procedures are designed to prevent security issues.