Previous

Next

Security control types and functions

Completed

After you determine a priority for each issue, check out the list of security controls and select the options that provide the most benefit for your system.

The most beneficial security controls are found across multiple STRIDE categories. In most cases, they're also relatively inexpensive to implement.

Security-control types

As you assess each security control, notice how they fall into one of the following types:

Icon	Type	Description
	Physical	Controls that physically prevent or detect unauthorized access. Examples include gates, badges, cameras, lighting, and suppression systems.
	Technical	Controls that logically protect your system. Examples include firewalls, antivirus, access control lists, and encryption.
	Administrative	Controls referring to policies that define processes for your system. Examples include data classification, auditing, and restrictions.

Note

Depending on your system, you should apply security controls across all types to help create layers for a more secure system.

Security-control functions

Along with the three main types, security controls also have five different functions to help you apply multiple layers of security.

Function	Description	Example
Preventative	Does this strategy help reduce the probability or impact of this threat?	Locks, firewalls, data classification
Detective	Does this strategy help identify attacks against my system as they happen?	Surveillance, honeypots, audit logs
Corrective	Does this strategy help control how I respond to an incoming attack?	Physical repair, system patches, incident response plans
Recovery	Does this mitigation help my service recover from an attack?	Hot-sites, system backups, disaster recovery plan
Deterrent	Does this mitigation help keep attackers away from my system?	Fences, least privilege, authorized use policy

Tip

Depending on issue priority, you may want to consider multiple security-control functions to secure your system before, during, and after a potential breach.

How it all comes together

Together with the security-control types, security-control functions create a matrix that helps you make the right selections. Here are a few examples:

Function	Physical	Logical	Administrative
Preventative	Locks	Firewalls	Data classification
Detective	Surveillance	Honeypots	Audit logs
Corrective	Physical repair	System patches	Incident response plans
Recovery	Hot sites	System backups	Disaster recovery plan
Deterrent	Fences	Least privilege	Authorized use policy

Check your knowledge

1.

What is an example of an administrative security control?

Creating an Incident Response Plan

Installing a new firewall

Adding badge scanners to the entrance door

2.

What does a corrective security control do?

It stops a malicious activity from occurring. Examples include firewalls, data classification, and locks.

It detects and alerts a malicious attack before it happens. Examples include honeypots and alarms.

It repairs and restores your system after a malicious attack. Examples include patches and incident response plans.

You must answer all questions before checking your work.

Continue