Controls are a vital part of an organization's ability to maintain course in the face of adverse events. They are many categories of controls and they all play into one another. Utilizing only one control type or category will not create a sound posture for cybersecurity. There are more ways to break down controls and their implementations than what is presented here, but we will stick to the major categories.

Defining Control Categories

Administrative Controls: These controls include standards and directives meant to change or direct the behavior of personnel instead of directly removing the hazard. MIT has a nice definition of them here.

Preventative Controls: Controls that stop a problem as or before it occurs are preventative. A good example is an intrusion detection system (IPS).

Detective Controls: These controls check activities against approved functionality to detect anomalous, unapproved, and potentially dangerous activity. Reviewing detection logs is important to ensure activities stay aligned with the policies in place for that system.

Corrective Controls: This type of control is used to reduce the impact of a certain deficiency and return a system to a healthy state after an incident has occurred. It is a vital step in incident response handling.

Examples and Uses

Administrative Controls: Since these controls are often policies and standards throughout an organization, it is common to see high-level policies as the most used form of administrative controls. A good example would be security awareness training programs or bring your own device (BYOD) policies. It may be the case that other types of controls, such as technical (logical) or physical, are used to enforce administrative controls, but they are distinct. Policies that guide the behavior of personnel are administrative controls.

Preventative Controls: An example of preventative controls would be something like regular system security patching. This tackles the problem of exposed vulnerabilities even if the vulnerabilities haven't been exploited yet. Another good example is basic user permissions. By making sure users have access to only the services and data they should, we help prevent accidental or intentional breaches and misuse.

Detective Controls: The most notable detective controls are SIEM systems. By aggregating data from devices and network traffic, incidents are detected in real-time allowing teams to react efficiently. Detective controls can also include malware detection and anti-virus software. Understanding where the preventative controls have failed is the job of detective controls.

Corrective Controls: Policies on the actions to take after a security incident has occurred will include things like replacing damaged assets, changing passwords, isolating infected systems and files, terminating processes, applying patches, etc. Corrective controls come into play when preventative controls have failed and detective controls have discovered an issue.

Implementing and Selecting New Controls

When it comes to selecting new controls and implementing them, there are a few major things to consider that you can ask yourself. If you cannot answer these questions, it is best to take a step back and reevaluate whether this control is actually going to help your organization.

1. What do you expect to affect the organization? Once this new control is in place, will it make work more difficult for your employees? Will new workflows need to be learned, which could cause a temporary decrease in efficiency? What are the direct monetary costs of implementing this control?
2. How can you expect to implement this control? If this control is administrative, perhaps a policy will be developed, but how will you disseminate the policy, and how will you ensure all employees are trained on it and the risks of not adhering to it? If it is a new detection software, how will it be rolled out and installed without disrupting workflow?
3. Is there going to be a conflict with a current security control? If the implementation of a new policy is going to disrupt another existing policy (for example having no 3rd party software rules and then utilizing a 3rd party software for another security function) you should reevaluate your implementation.
4. Does this new control move the organization towards a better posture or compliance status? If the control does not add a reasonable benefit to the organization, then why are you implementing it? It can be easy to get lost in the capabilities of security and making everything as secure as possible, but the organization and its objectives always come first.

It is also important to come back and revisit security controls regularly. Environments, technologies, and regulations change and you will need to change as well.