Published November 18, 2019 • By Thea Garcia

Types of information security controls, intended to strengthen cybersecurity, include:

  • Security policies
  • Procedures
  • Plans
  • Devices
  • Software

They fall into three categories:

  • Preventive controls, designed to prevent cybersecurity incidents
  • Detective controls that detect a cybersecurity breach attempt (“event”) or successful breach (“incident”) while it is in progress, and alert cybersecurity personnel
  • Corrective controls, used after a cybersecurity incident to minimize data loss and damage to information systems and restore systems as quickly as possible.

Security controls come in the form of:

  • Access controls, including restrictions on physical access such as security guards at building entrances, locks, and perimeter fences, and on virtual access, such as privileged access authorization
  • Procedural controls such as security awareness education, security framework compliance training, and incident response plans and procedures
  • Technical controls such as multi-factor user authentication at login (login), antivirus software, and firewalls
  • Compliance controls such as privacy laws and cybersecurity frameworks and standards designed to minimize security risks. These typically require an information security risk assessment, and impose information security requirements, with penalties for non-compliance.

The most widely used information security frameworks and standards include:

  • The National Institute of Standards and Technology (NIST) Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
  • The International Organization for Standardization (ISO) standard ISO 27001, Information Security Management
  • The Payment Card Industry Data Security Standard (PCI DSS)
  • The Health Insurance Portability and Accountability Act (HIPAA)