There are numerous control types you should know as a security professional. There are managerial, operational, technical, preventative, detective, responsive, corrective, and compensating controls.
Preventative controls are proactive measure that is placed to deter events from happening. Examples are separation of duties, passwords, and employee training and screening. Detective controls are measures that are implemented to detect errors and problems after it occurred, like SIEM. Responsive and corrective controls are implemented to provide automated responses to known issues. Responsive and corrective controls are orchestrated to work with preventative and detective controls. The difference between the two is that responsive are designed to fix what deviates from security baseline while corrective simply corrects the identified issues.
Technical, administrative and physical controls are simply a way to categorize the controls even further to better assign responsibilities to different job billets. Physical controls include things like fences, gates, and cameras, technical controls include firewall and antivirus, and administrative controls include separation of duties and audits.
Compensating controls are simply measures that are placed because a proper controls can’t be implemented either due to cost or some other reasons to lower risk. Example is having a small locker since a company can’t afford a vault.
One must understand where different measures are placed within these controls for the exam. For example, intrusion detection system is a technical control but is also a detective control. Having a incident response plan is corrective control but is also a administrative control.
HansITAcademy 