🧠 Domain 1 – Security and Risk Management
🧱 D1.7 – Security Control Types & Functions (🇬🇧 / 🇫🇷)
This memo summarizes the types and functionalities of security controls used to protect systems and organizations.
🔒 Categories of Controls
| Category | Description | Examples |
|---|---|---|
| Administrative (a.k.a. managerial / soft controls) | Policies and processes set by management | Security policies, hiring practices, training, background checks |
| Technical (a.k.a. logical controls) | Implemented via hardware/software | Firewalls, access control lists, encryption, passwords |
| Physical | Protect people, facilities, and hardware | Fences, locks, guards, CCTV, doors |
🧠 FR : Les contrôles peuvent être de type administratif (gestion), technique (IT) ou physique (bâtiment, personnes).
⚙️ Functional Types of Controls
| Function | Purpose | Examples |
|---|---|---|
| Preventive | Stop an incident from occurring | Locks, firewalls, biometrics, security policies |
| Detective | Detect when something went wrong | CCTV, IDS, audit logs, alarms |
| Corrective | Fix damage after an incident | Backups, patching, restoring systems |
| Deterrent | Dissuade potential attackers | Warning signs, fences, lighting, fake cameras |
| Recovery | Restore operations after disruption | DRP, system rebuilds, data recovery |
| Compensating | Alternate control when ideal one is not possible | Temporary access control, isolation zone |
🧠 FR : Chaque contrôle a une fonction : empêcher, détecter, corriger, dissuader, restaurer ou compenser.
🧾 CISSP Example – What is a Fence?
| Attribute | Type |
|---|---|
| Category | Physical |
| Functions | Preventive ✅ Deterrent ✅ |
Fences block access (preventive) and signal “stay out” (deterrent), but don’t detect intrusion on their own.
📸 CISSP Control Types Cheat Sheet
| Control | Category | Function(s) |
|---|---|---|
| Locks | Physical | Preventive |
| Firewalls | Technical | Preventive |
| Motion Detectors | Physical | Detective |
| Security Policy | Admin | Preventive |
| CCTV | Physical | Detective (sometimes Recovery) |
| Security Guard | Physical | Preventive + Detective |
| Antivirus | Technical | Preventive + Detective |
| Backups | Technical | Corrective + Recovery |
| Warning Sign | Admin | Deterrent |
| DRP | Admin | Recovery |
| Audit Logs | Technical | Detective |
💡 Tip for Exam
Ask:
- ❓ “What is the goal of this control?”
- 🧠 “What kind of control delivers that?”
🔄 Many controls have multiple functions.
Example: CCTV can be detective (real-time monitoring) or recovery (forensic review).
🛡️ Defense in Depth
Defense in Depth is a layered security strategy that uses multiple types of controls to protect assets.
🔄 Principle:
"What you can't prevent, you should detect.
What you detect, you should correct."
| Layer | Example Control Types |
|---|---|
| Outer | 🔒 Fences, signs, guards (Physical) |
| Middle | 🔐 Authentication, firewalls, ACLs (Technical) |
| Inner | 🔍 Logging, monitoring, backups (Administrative & Recovery) |
🧠 FR : Défense en profondeur = plusieurs couches de sécurité. Si une barrière échoue, une autre prendra le relais.
✅ CISSP Exam Tip
❗ You can’t rely on just one control. Use redundant, layered protection.
- Ex: Badge access + CCTV + logs = better protection
- Use Preventive + Detective + Corrective together