What is a Security Control?
A “security control” is a mechanism designed to address needs as specified by a set of security requirements. Security controls are:
- The nexus (e.g., center) of an organization’s cybersecurity and data protection program.
- Often aligned with one or more cybersecurity frameworks (e.g., SCF, NIST 800-53, NIST 800-171, NIST CSF, CIS CSC, ISO 27001, etc.).
- Generally thought of as technical, administrative or physical.
- Designed to prevent, detect, mitigate, or recover from security risks to systems, data, or operations.
Security controls are categorized by purpose:
- Preventive: Block threats (e.g., access controls, firewalls, encryption).
- Detective: Identify incidents (e.g., intrusion detection systems, logs, audits).
- Corrective: Reduce impact and restore systems post-incident (e.g., backups, patching).
- Compensating: Alternative measures when technical controls are not feasible (e.g., manual reviews).
- Physical: Locks, cameras, security guards.
- Administrative: Policies, procedures, training, oversight.
- Technical: Software and hardware mechanisms like AV or authentication systems.
The Integrated Controls Framework (ICF) model helps organizations design and implement a Governance, Risk & Compliance (GRC) program that is centered around cybersecurity and data protection controls.