Netops

1/20/22, 10:31 AM Security Controls

https://leocontent.umgc.edu/content/umuc/tus/cmit/cmit320/2222/learning-topic-list/security-controls.html?ou=623775 1/3

Learning Topic

Security Controls The goal of IT security is to protect the people, property, and data assets of the

organization. Organizations use security controls to minimize risks to those assets.

Security controls can be classified by type: physical, technical, or administrative. All three

are necessary for robust security (Walkowski, 2019).

Physical Controls

Physical controls involve security measures that safeguard and protect physical assets

against unauthorized access, damage, loss, or theft from natural and man-made events.

Examples of physical controls include fences, gates, security guards, lighting, closed-circuit

surveillance, motion sensors, access control systems (biometrics, access cards), and locked

and dead-bolted steel doors

Among physical controls, the use of personnel can be effective, but it is also the most

expensive countermeasure to reduce physical security risks. Ouyang (2012) states that

security guards can be used to:

check credentials at entry points

ensure company property does not leave facility

monitor intrusion detection systems

verify doors and windows are locked

watch for suspicious activity

Technical Controls

Technical controls, also called logical controls, use technology to restrict the access and

usage of sensitive data. Examples of some of the hardware and software used for

technical controls includes include authentication solutions, firewalls, antivirus software,

encryption, and intrusion detection and protection systems.

1/20/22, 10:31 AM Security Controls

https://leocontent.umgc.edu/content/umuc/tus/cmit/cmit320/2222/learning-topic-list/security-controls.html?ou=623775 2/3

Administrative Controls

Administrative or procedural security controls involve the procedures and policies that

define and guide employees and users when dealing with the organization’s assets. This

includes employee training and awareness programs, hiring and termination policies, data

classification, equipment and internet usage guidelines, separation of duties, and disaster

preparedness and recovery plans (Walkowski, 2019).

Compensating Controls

There is an additional category of controls called compensating or alternative controls.

These are physical, technical and/or administrative controls employed by an organization

in lieu of a recommended security control. These security measures are used to prevent a

gap in IT compliance when the security requirements are too difficult or impractical to

implement due to legitimate technological or business constraints (Bisson, 2016).

For example, organizations ideally should have two or more staff members complete

separate parts of certain tasks such as developing and testing a security system. This will

prevent fraud and employee error so that no single person has sole accountability for the

task.

However, if an organization has a very small staff, it might need to have one employee

complete the task. To compensate, the organization may implement a compensating or

alternative control such as having that one employee maintain detailed logs and give

reports to an audit committee or hiring a third party to monitor the process (Reeds, 2017).

References

Bisson, D. (2016).Compensating controls: An impermanent solution to an

IT compliance gap. Tripwire. https://www.tripwire.com/state-of-security/security-data-

protection/compensating-controls/

Ouyang, A. (2012). Physical (environmental) security domain [PowerPoint slides]. CISSP

Common Body of Knowledge Review. https://www.google.com/url?

sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=2ahUKEwi4h7mKxoXmAhUE11kKHac2

AqgQFjACegQIAxAC&url=http%3A%2F%2Fopensecuritytraining.info%2FCISSP-6-

PS_files%2F6-Physical_Security.pdf&usg=AOvVaw3RNR5kwdnhG-1tHRQYeH9Z

Reeds, C. (2017). Separation of duties and IT security [Blog

post]. https://blogs.dnvgl.com/energy/separation-of-duties-and-it-security

1/20/22, 10:31 AM Security Controls

https://leocontent.umgc.edu/content/umuc/tus/cmit/cmit320/2222/learning-topic-list/security-controls.html?ou=623775 3/3

Walkowski, D. (2019). What are security controls? An overview of the types of

countermeasures security practitioners use to reduce

risk. F5. https://www.f5.com/labs/articles/education/what-are-security-controls

© 2022 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.