Security controls are the mechanisms organizations use to protect data and systems. They fall into different categories based on what they do and how they work. Here's how they're organized.
Technical controls
Technical controls are implemented using systems and technology. These are the automated mechanisms that enforce security without human intervention.
Operating system controls include file permissions, user account policies, and access control lists. A user can't read a file without proper permissions. The OS enforces this automatically.
Firewalls control network traffic based on rules. They block unauthorized connections and allow legitimate ones. Antivirus software detects and removes malware. Encryption protects data at rest and in transit. Authentication systems verify user identities before granting access.
These controls run continuously without requiring someone to manually check each access attempt or scan each file.
Managerial controls
Managerial controls are administrative mechanisms associated with security design and implementation. These are the policies and procedures that define how security should work.
Security policies document what's allowed and what isn't. An acceptable use policy tells employees they can't use company computers for personal business. A password policy requires passwords to be 12 characters with special characters.
Standard operating procedures describe how to handle specific security tasks. How to provision new user accounts. How to respond to a data breach. How to classify sensitive data.
Risk assessments, security awareness training, and incident response plans all fall under managerial controls. They don't directly prevent attacks but they establish the framework for how security works in the organization.
Operational controls
Operational controls are implemented by people instead of systems. These require human action to be effective.
Security awareness training teaches employees to recognize phishing emails. Background checks vet new hires before they get access to sensitive systems. Security guards patrol facilities. Administrators review logs for suspicious activity.
The distinction from technical controls is that operational controls depend on people doing something. A firewall runs automatically. A security guard has to actually walk the perimeter.
Physical controls
Physical controls limit physical access to facilities and equipment. These prevent unauthorized people from physically touching systems.
Badge readers require employees to scan ID cards before entering secure areas. Locks on server room doors keep unauthorized people out. Biometric scanners verify fingerprints or retinas. Security cameras record who enters and exits. Mantrap doors require one person at a time to pass through two doors in sequence.
Fences, gates, and guards are physical controls. So are locked cabinets for backup tapes and cable locks for laptops.
Physical security matters because all the technical controls in the world don't help if someone can walk into the server room and unplug drives.
Deterrent controls
Deterrent controls are meant to discourage intrusion attempts. They don't directly prevent access but they make attackers think twice.
Warning signs that say "Authorized Personnel Only" or "This system is monitored" are deterrents. Visible security cameras deter theft even if they're not recording. Login banners that warn about prosecution deter casual unauthorized access.
The idea is to make the target look harder or riskier so attackers move on to easier targets. A house with a security system sign in the yard is less likely to be burglarized even if the system isn't armed.
Compensating controls
Compensating controls use alternative methods when existing controls aren't sufficient. They're often temporary solutions.
If you can't implement two-factor authentication on a legacy system, you might require longer passwords and more frequent password changes as a compensating control. Not as good as 2FA but better than doing nothing.
If a critical patch can't be applied because it breaks a production application, you might implement additional network segmentation and monitoring as compensating controls until the patch compatibility issue is resolved.
If a firewall fails and the replacement won't arrive for two days, you might block all external access at the router level as a compensating control. More restrictive than necessary but maintains security until the proper control is back in place.
Why categories matter
Organizations need multiple types of controls working together. Technical controls alone aren't enough. A firewall won't help if an employee's laptop gets stolen from their car because there were no physical controls.
Regulations and compliance frameworks often require specific types of controls. PCI DSS requires both technical and physical controls for payment card data. Understanding categories helps map controls to requirements.
During security audits and assessments, evaluators look for defense in depth across all control categories. If all your controls are technical and none are physical or operational, you have gaps.
When one control fails or gets bypassed, controls in other categories provide backup protection. This is why you need layers. An attacker might defeat the technical controls but still gets stopped by the physical controls or detected by the operational controls.