User:Mjo5091/sandbox/Security controls (Information Security)

This is not a Wikipedia article: It is an individual user's work-in-progress page, and may be incomplete and/or unreliable. For guidance on developing this draft, see Wikipedia:So you made a userspace draft.

Find sources: Google (books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL
Easy tools: Citation bot (help) | Advanced: Fix bare URLs
This page was last edited by Mjo5091 (talk | contribs) 3 years ago. (Update timer)

Finished writing a draft article? Are you ready to request an experienced editor review it for possible inclusion in Wikipedia? Submit your draft for review!

Information security controls are safeguards of different types and functions which protect the confidentiality, integrity, and availability of data (also known as the CIA triad) ^[1].

Information security control types

There are three main types if Information security controls:

Physical controls are material implementations of security measures, e.g., fences, sensors, and re-issuing new access cards.
Technical or logical controls use computing capabilities to implement protective security measures, e.g., intrusion prevention or detection systems, and endpoint detection and response (EDR).
Administrative or procedural controls are management controls like policies, procedures, and standards by which technical or physical controls are governed, e.g., data classification, security audits, and business continuity planning (BCP).

Information security control functions

There are three main information security control functions and a couple of peripheral functions.

Three main information security control functions:

Preventive controls are implemented prior to a threat event occurrence with the goal of preventing it, e.g., locks, firewalls, and access control lists (ACLs).
Detective controls are designed to discover threats after they occur, e.g., CCTV, honeypots, and audit logs.
Corrective controls lessen or reverse the impact of an incident, e.g., uninterruptible power supply (UPS), vulnerability patching, and incident response plans.

Additional control functions:

Compensatory or alternative controls are leveraged when a required security measure (by law or regulation) is not able to be implemented due to business or financial constraints^[2], e.g., in place of encryption which may be costly to implement and increase transaction time, multiple encryption technologies across an organization may suffice in providing the same level of security such as e-mail encryption, database security, and DLP (Data-Leakage Prevention).
Deterrent controls reduce the likelihood of an incident based on its presence, e.g., security cameras, roving security guards, or regular security patrols around a building perimeter.

Information security control types and functions matrix & examples

Below is a table partially listing some examples of security controls and which type & function they perform, in accordance with the main types and functions of preceding sections.