Security Controls: Categories and Functions
Key Takeaways
- Controls group by category (technical, administrative, physical) and by function (preventive, detective, corrective, deterrent, compensating).
- Technical = technology, administrative = governance and people processes, physical = facility and hardware protection.
- One control can serve more than one function; a camera both deters and provides detective evidence.
- Defense in depth layers controls so no single failure becomes a major incident.
- On the exam, match the control category and function to the verb in the question: prevent, detect, correct, deter, or compensate.
Key Concepts
Security controls are safeguards that manage risk. CC scenarios test whether you can pick a control that fits the stated problem. Two classification schemes do most of the work: category (the control's nature) and function (what it does).
Categories:
- Technical (also called logical) controls run through technology: MFA, encryption, firewalls, endpoint protection, access control lists, logging, vulnerability scanning, and backups.
- Administrative (managerial) controls are governance and people processes: policies, standards, security-awareness training, access reviews, background checks, risk assessments, and contracts.
- Physical controls protect facilities, equipment, and people: locks, fences, guards, cameras, visitor badges, mantraps, cable locks, lighting, and fire suppression.
| Category | What it relies on | Example |
|---|---|---|
| Technical | Systems or software | MFA, encryption, firewall rule |
| Administrative | Governance or people process | Policy, training, access review |
| Physical | Facility or hardware protection | Lock, badge reader, camera |
Functions describe the safeguard's job:
| Function | Purpose | Example |
|---|---|---|
| Preventive | Stop or block before it happens | MFA, least privilege, locked door |
| Detective | Find or alert during or after | Log review, IDS alert, camera recording |
| Corrective | Restore or repair after an event | Backup restore, patch after incident |
| Deterrent | Discourage the behavior | Warning banner, visible guard, sanctions |
| Compensating | Alternate when the preferred control is infeasible | Extra monitoring for a legacy system |
A single control often plays multiple roles. A camera deters entry to a restricted area and provides detective evidence afterward. Security-awareness training is administrative and preventive when it stops users falling for phishing. Backups are technical and usually corrective because they restore service after loss. Two recovery-related functions worth distinguishing: corrective controls fix the immediate problem; recovery controls restore full operations afterward.
Exam Application
Defense in depth (layered control thinking) is central. Protect payroll data with only a password and one failure becomes a breach. A layered design uses: an HR policy defining who may access payroll (administrative), least privilege in the payroll system (technical/preventive), MFA at login (technical/preventive), encryption at rest (technical/preventive), logging of unusual access (technical/detective), periodic access reviews (administrative/detective), user training (administrative/preventive), and backups (technical/corrective). No single control must be perfect for overall risk to drop.
Scenario: a warehouse suffers repeated unauthorized after-hours entry. A preventive physical control is a badge-controlled door or stronger lock. A detective physical control is camera recording or alarm monitoring. A deterrent is visible signage and lighting. An administrative control is a visitor policy with a disciplinary process. If the budget blocks immediate door replacement, compensating controls such as guard patrols and alarm monitoring bridge the gap.
Scenario: a legacy application cannot enforce strong passwords or MFA. A weak answer is to accept the risk with no analysis. Better: compensating controls — isolate the app on a restricted segment, require access via a monitored jump host, limit accounts, review logs daily, document an exception, and set a retirement plan.
The single most reliable CC strategy is to read the verb. "Prevent unauthorized access" -> preventive (MFA, least privilege). "Know when access occurs" -> detective (logging, monitoring, alerts). "Restore after ransomware" -> corrective (backups and recovery procedures). "Discourage misuse" -> deterrent (banner, signage, sanctions). "The normal control will not work" -> compensating. Distractors often offer the right category but the wrong function, so confirm both the nature of the safeguard and the job the question is asking it to do.
Defense in depth versus the related ideas the exam contrasts with it. Defense in depth layers different kinds of controls so an attacker must defeat several to succeed. Two terms get confused with it. Redundancy duplicates the same control (two firewalls, two power supplies) to survive a single failure — useful for availability, but not the same as layering different control types. Least privilege grants each user or process only the access it needs; combined with separation of duties (no single person controls an entire sensitive transaction), it limits how much damage one compromised account can do.
A CC item that asks for the principle preventing one administrator from both creating and approving payments is testing separation of duties, not defense in depth.
Use this quick mapping to choose controls under pressure:
| The scenario wants to... | Function to pick | Typical control |
|---|---|---|
| Block the event up front | Preventive | MFA, least privilege, locked door, firewall rule |
| Notice the event | Detective | Logging, SIEM alert, camera, alarm |
| Recover after the event | Corrective/recovery | Backup restore, failover, patch |
| Discourage the actor | Deterrent | Warning banner, visible guard, sanctions |
| Substitute for an infeasible control | Compensating | Isolation plus monitoring for a legacy app |
A few precise distinctions the question writers exploit. Encryption is preventive against disclosure, not detective — it does not tell you an attack happened, it makes stolen data unusable. Audit logs are detective even though they are technical; they do not stop anything by themselves. A guard can be preventive (checking badges), detective (spotting an intruder), and deterrent (visible presence) at once, so the correct function depends on what the guard is doing in that scenario. Finally, awareness training is administrative and preventive, but if it teaches staff to report suspicious email it also supports detection.
When an option could fit two functions, anchor on the action the question emphasizes — block, find, restore, discourage, or substitute — and select accordingly.
Which control is primarily corrective in a ransomware recovery scenario?
Which examples are administrative controls? Choose two.
Select all that apply
Match each control function to the best example.
Match each item on the left with the correct item on the right