Security Controls - CompTIA Security+ SY0-701 - 1.1
Security Controls - CompTIA Security+ SY0-701 - 1.1
If you’ve spent any amount of time in IT security, you know there are many different security risks that you need to prepare for. The attackers are looking for different ways to gain access to our systems. And we need to find different ways to prevent them from getting that access. But of course, we’re not just protecting data. We’re also protecting physical systems, buildings, people, and everything in our organization. In this chapter, we’ll look at different security controls and how they can be used to prevent events from occurring in the first place. We can minimize the impact of events that ultimately do occur. And in many cases, we can limit the damage if someone does find a way into our computing environment.
Let’s look at some very broad categories of security controls.
Technical controls
The first category we’ll look at are technical controls. These are controls that we implement using some type of technical system. So if you’re someone who is managing an operating system, you might set up policies and procedures within the operating system that would allow or disallow different functions from occurring. We can also put firewalls, antivirus, and other types of software into this category of technical controls.
Managerial controls
As a security administrator, you’ll also want to create a series of policies that explain to people the best way to manage their computers, their data, or their other systems. We refer to these as managerial controls. So if you are creating a series of policies and procedures or you’re creating an official security policy documentation, you’ll often put these managerial controls inside of your security policies. You might also see these managerial controls implemented into day-to-day processes as part of your standard operating procedures.
Operational controls
Another important control category are the operational controls. Unlike using technology to manage these controls, operational controls are using people to be able to set these controls. So if you have security guards at your place of work, you’re doing monthly lunch and learns, or you have some type of posters or awareness program at work to help explain the best practices for IT security, then you can put these into the category of operational controls.
Physical controls
And the last category that we have are physical controls. As the name implies, these are controls that would limit someone’s physical access to a building, a room, or a device. This might be something like a guard shack. So they can check everyone coming into a particular area. Maybe there are fences and locks to keep people out. Or maybe use badge readers to limit the access into certain areas within your building.