Security Controls: Categories and Functions

Key Concepts

Security controls are safeguards used to manage risk. CC scenarios often test whether you can choose a control that fits the problem. Two useful ways to classify controls are category and function.

Control categories describe the nature of the safeguard. Technical controls are implemented through technology. Examples include MFA, encryption, firewalls, endpoint protection, access control lists, logging, vulnerability scanning, and backups. Administrative controls are policies, processes, training, standards, contracts, approvals, risk assessments, and background checks. Physical controls protect facilities, equipment, and people through locks, fences, guards, cameras, visitor badges, cable locks, lighting, and fire suppression.

Control functions describe what the safeguard does. Preventive controls try to stop an unwanted event before it occurs. Detective controls identify events that happened or are happening. Corrective controls restore systems or reduce damage after an event. Deterrent controls discourage unwanted behavior. Compensating controls provide an alternate safeguard when the preferred control is not feasible.

A control can have more than one role. A camera may deter someone from entering a restricted area and also provide detective evidence after an event. A security awareness program is administrative and can be preventive if it helps users avoid phishing. Backups are technical and usually corrective because they help restore service after data loss.

Exam Application

Layered control thinking is important. If a company protects payroll data only with a password, one failure can become a major incident. A stronger design uses multiple controls: HR policy defining who may access payroll, least privilege in the payroll system, MFA for login, encryption for stored data, logging for unusual access, periodic access reviews, user training, and backups. No single control has to be perfect for the overall risk to be reduced.

Scenario example: A warehouse has repeated unauthorized after-hours entry. A preventive physical control could be a stronger lock or badge-controlled door. A detective physical control could be camera recording or alarm monitoring. A deterrent could be visible signage and lighting. An administrative control could be a visitor policy and disciplinary process. If budget prevents immediate replacement of doors, temporary guard patrols and alarm monitoring might be compensating controls.

Scenario example: A legacy application cannot enforce strong passwords or MFA. A poor answer is to accept the risk without analysis. Better answers may include compensating controls: isolate the application on a restricted network, require access through a monitored jump host, limit accounts, review logs daily, document an exception, and create a retirement plan. The exact answer depends on what the question asks: prevent access, detect misuse, correct after failure, deter behavior, or compensate for a missing safeguard.

For exam questions, read the verb. If the organization wants to prevent unauthorized access, choose a preventive control such as MFA or least privilege. If it wants to know when access occurs, choose logging or monitoring. If it wants to restore after ransomware, choose backups and recovery procedures. If it cannot deploy the normal control, look for a compensating control that reduces risk in another way.