This article will identify four different types of internal controls an organization will need to consider when it comes to Cyber Security. These controls are Preventive Controls, Detective Controls, Corrective Controls, and Compensating Controls. Note that these four basic types of controls don’t have to fit exclusively to one category.
The examples listed in each category are not exhaustive, they illustrate what falls into each category.
Preventive Controls
Preventive Controls intend to stop something undesirable. It’s proactive in its ability to prevent something unwanted from happening. Some examples are:
- Firewalls
- Anti-Virus Software
- Security Awareness Training
- Separation of Duties
- Restrictive User Access
- Endpoint Detection and Response
- Virtual Private Network
- Manage Detection and Response Provider
- Intrusion Prevention System
- Multi-Factor Authentication
- Password Complexity Requirements
- Termination of User Access Rights
- Software White Listing
Detective Controls
Detective Controls exist to detect and report when errors, omissions, and unauthorized uses or entries occur. Some examples may include:
- Systems Monitoring
- Anti-Virus
- Network intrusion detection (IDS) System
- Security event management systems (SEM)
- Log Management
- Contract Review of Third-Party Service Providers
- Manage Detection and Response Provider
Corrective Controls
Corrective Controls come into play when an error or fault is discovered. Their purpose is to correct errors, omissions, and unauthorized uses and intrusions.
- Upgrades to operating systems and applications. This also includes implementing patches to fix discovered vulnerabilities
- Anti-Virus
- Endpoint Detection and Response
- Restoring data from backup media
- Revocation of user system access. A user leaves your company and you promptly shut down their credentials preventing them from accessing your system.
- Manage Detection and Response Provider
Compensating Controls
Compensating Controls are probably the most misunderstood of the four categories. Your organization may work with technology that is old, unique, or custom made for your operations. However, this technology cannot be upgraded to satisfy current security standards or measures. It may be too difficult or impractical to implement.
- System Isolation – For example, using the risk management concept of segregation via a digital barrier which separates your operational technology from the rest of your network.
- Hot Site for disaster recovery operations.
- Backup Electrical generator
- Application Whitelisting
You need to strike a balance of these type of controls for your organization to have an effective cyber security program. For example, if you are heavy on technical controls but have limited administrative controls, you will have gaps in your cyber security program.
In part three of this series we will dig deeper into three more controls to consider which are Administrative, Physical and Technical controls.