Security Controls
What a control is, and the three types
Picture one server room. A locked door keeps strangers out, a firewall keeps hostile traffic out, and a written policy keeps staff from propping the door open. Three very different safeguards, one job: lower the risk to the data inside. That shared job is what makes each of them a security control, a safeguard or countermeasure put in place to protect the confidentiality, integrity, and availability[1] of information and systems.
Controls are easiest to learn when you sort them by how they are carried out. The CC outline uses three types.
- Technical controls (also called logical controls) are enforced by the system itself, through hardware, software, or firmware[2]. Encryption, firewalls, access-control lists, antivirus, and intrusion-detection systems are technical controls. If a machine does the enforcing, it is technical.
- Administrative controls (also called managerial controls) are the policies, procedures, and human practices that direct how people behave. A security policy, a background check before hiring, separation of duties, and a security-awareness program are administrative controls. If the control works by telling people what to do, it is administrative.
- Physical controls protect the tangible world. Fences, locks, badge readers, mantraps, security guards, CCTV cameras, and fire-suppression systems are physical controls. If you could touch it or walk into it, it is physical.
The federal standard FIPS 200[1] draws the same map with slightly different labels, calling controls management, operational, and technical. The two schemes line up closely: management and operational map onto the CC "administrative" idea, technical stays technical, and physical controls sit inside the operational group. For the CC exam, learn the three everyday names, technical, administrative, and physical, and treat FIPS 200 as the formal source they come from.
The single most common beginner error is to assume one type is "the security stuff" and the others are paperwork. They are equals. Most real safeguards need all three working together, which is why the type tells you who or what does the work, not how important the control is.
Type versus function, and compensating controls
Once you can name a control's type, a second question follows: what does it actually accomplish? That is the control's function, and it is a separate axis from type. Type asks how the control is built; function asks what it does about a threat.
The functional categories
CC keeps the function list short and practical:
- Preventive controls stop an unwanted event before it happens. A firewall that blocks a connection and a door lock that bars entry are both preventive.
- Detective controls notice an event while it happens or after the fact. An intrusion-detection system, a reviewed audit log, and a CCTV recording are detective.
- Corrective controls fix the damage and bring things back to normal after an event. Restoring files from backup and removing malware are corrective.
- Deterrent controls discourage an attacker from trying in the first place. A visible "Premises under surveillance" sign, a guard at the gate, and warning banners are deterrent.
You may also meet recovery controls (a broader restore-to-operations idea that overlaps corrective) and directive controls (orders that steer behavior, such as a policy). Keep the four above as your core set for CC.
The two axes are independent
Because type and function are separate, any type can serve any function. The same control can even cover more than one function at once: a security guard physically deters an intruder, detects one on the cameras, and prevents entry at the door. So when a question gives you a scenario, read it twice, once for the mechanism (to get the type) and once for the goal (to get the function). A classic stem describes a fence and asks for its category; a fence is a physical control by type, and most often a deterrent by function.
Compensating controls
Sometimes the control you would prefer simply will not fit. A compensating control[3] is an alternative safeguard used in lieu of a recommended control, chosen because it provides equivalent or comparable protection when the original cannot be implemented as written. The trigger is a real constraint, not convenience: a legacy medical device that cannot run modern encryption, an old application that cannot accept multi-factor authentication, or a budget that rules out a preferred tool. The fix is to wrap the gap in other safeguards that reach a similar level of protection, for example isolating the legacy device on its own network segment with tight monitoring. A compensating control should always be documented with the reason the recommended control could not be used, so the decision is traceable later.
Combining controls: defense in depth
No single control is perfect, so strong security stacks several. Defense in depth is the strategy of layering multiple, independent controls so that an attacker who defeats one still has to get past the others. NIST describes it as integrating people, technology, and operations[4] capabilities to set up variable barriers across multiple layers, which is exactly the case for mixing the three control types around one asset.
Think of a database of customer records. A badge reader on the data-center door is a physical layer. Network segmentation and a firewall in front of the database are technical layers. A least-privilege access policy and mandatory awareness training are administrative layers. An attacker now has to beat a lock, then a firewall, then a permissions model, each by a different route. That mix of types is what makes the stack hard to clear.
Layers must be independent
The one rule that turns "more controls" into real depth is independence. Two controls that share a single point of failure fail together and count as one layer, not two. If your firewall and your VPN both authenticate against the same identity store, then cracking that one store gets past both at once, so they are really a single layer. Genuine depth comes from layers that fail for different reasons: a physical lock is not bypassed by a stolen password, and an awareness-trained employee is not fooled by a firewall misconfiguration.
How exam questions phrase it
Exam stems describe a setup with several safeguards in a row and ask which principle is at work; the answer is defense in depth, also called layered security. A trickier version lists controls that all depend on one thing (one admin account, one gateway) and asks whether that is good defense in depth. It is not, because the shared dependency means a single failure removes them all. Watch for the difference between many controls and many independent layers; only the second is defense in depth.
The three security control types (how a control is implemented)
| Control type | Technical (logical) | Administrative (managerial) | Physical |
|---|---|---|---|
| How it is enforced | Hardware, software, or firmware in the system | Policies, procedures, and human practices | Tangible barriers and the physical environment |
| Who or what acts | The information system itself | People following management direction | Physical objects, sites, and personnel on site |
| Typical examples | Encryption, firewalls, access-control lists, IDS, antivirus | Security policy, background checks, awareness training, separation of duties | Locks, fences, badge readers, guards, CCTV, fire suppression |
| FIPS 200 grouping | Technical | Management and operational | Operational (physical and environmental) |
| Fails when | Misconfiguration, software flaw, or bypass | People ignore or do not know the policy | Barrier is breached, tailgated, or unmonitored |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- A security control is any safeguard that protects CIA
A security control is a safeguard or countermeasure put in place to reduce risk and protect the confidentiality, integrity, and availability of information and systems. A door lock, a firewall rule, a password policy, and a nightly backup are all controls despite looking nothing alike, because each lowers risk to the same asset. FIPS 200 formally groups controls as management, operational, and technical.
- Classify a control by how it is enforced: technical, administrative, or physical
The three control types describe the mechanism that does the work, not how important the control is. Technical (logical) controls are enforced by hardware, software, or firmware; administrative (managerial) controls are policies, procedures, and human practices; physical controls are tangible barriers and the environment. Most real safeguards need all three working together around one asset.
Trap Ranking the types so technical counts as the real security and the others as paperwork; they are equals and usually all apply to one asset.
- Technical controls are enforced by the system itself
A technical (logical) control is carried out by hardware, software, or firmware rather than by a person. Encryption, firewalls, access-control lists, antivirus, and intrusion-detection systems are technical controls. If a machine does the enforcing, the answer is technical.
1 question tests this
- Administrative controls direct how people behave
An administrative (managerial) control works through policy, procedure, and human practice rather than through a machine. A security policy, a pre-hire background check, separation of duties, and a security-awareness program are administrative controls. If the safeguard tells people what to do, classify it administrative.
Trap Calling a policy that requires encryption a technical control; the written rule directing people is administrative, even though the thing it mandates is technical.
5 questions test this
- An organization wants employees to recognize and report phishing attempts. Which administrative control would BEST achieve this objective?
- Which of the following BEST describes an administrative control?
- Which characteristic distinguishes administrative controls from technical controls?
- A security team is developing a program to help employees recognize and report phishing attempts. Which concept BEST describes this…
- What type of security control is security awareness training classified as?
- Physical controls protect the tangible world
A physical control acts on the physical environment: fences, locks, badge readers, mantraps, security guards, CCTV cameras, and fire-suppression systems. If you could touch it or walk into it, it is physical. Environmental safeguards like HVAC and fire suppression count here too because they protect the site and equipment.
- Type and function are separate, independent axes
A control's type (technical, administrative, physical) describes how it is built; its function describes what it does about a threat. The two are independent, so any type can serve any function: a fence (physical) deters, a firewall (technical) prevents, an audit-log review (administrative) detects. Exam stems often want both answers, so read the scenario once for the mechanism and once for the goal.
Trap Assuming a control's type fixes its function, so a firewall is always preventive; the same firewall can be preventive or detective depending on how it is used.
- Preventive controls stop an event before it happens
A preventive control blocks an unwanted event from occurring at all. A firewall that drops a connection, a door lock that bars entry, and enforced strong-password rules are preventive. Preventive is the function exam stems describe with verbs like block, bar, or stop.
10 questions test this
- An organization implements a firewall to block unauthorized network traffic before it reaches internal systems. Which type of security…
- Which of the following correctly pairs a security measure with its functional control type?
- An organization requires all employees to use strong passwords with a minimum of 12 characters. Which type of security control is this?
- Which security control classification scheme categorizes controls based on WHEN they act relative to a security incident?
- An organization implements a firewall that blocks unauthorized network traffic from entering its systems. What type of control BEST…
- Which type of physical security control function does a locked server room door perform?
- An organization installs bollards and concrete barriers around the entrance to its data center building. What category of physical control…
- An organization requires all employees to use multi-factor authentication before accessing sensitive systems. How should this control BEST…
- Which type of security control is PRIMARILY designed to stop an unauthorized action before it occurs?
- A security architect recommends implementing multi-factor authentication to address the risk of unauthorized access. How should this…
- Detective controls notice an event during or after it
A detective control identifies an event while it happens or after the fact, but does not stop it on its own. Intrusion-detection systems, reviewed audit logs, and CCTV recordings are detective. The signal in a stem is that the control records, alerts, or reveals rather than blocks.
Trap Treating a recording CCTV camera as preventive; on its own it only detects, the deterrent or preventive effect comes from the visible presence or a guard acting on it.
9 questions test this
- Which physical security control is PRIMARILY intended to detect unauthorized access rather than prevent it?
- A security analyst reviews log files to identify suspicious login attempts on the organization's network. What type of control function…
- What is the PRIMARY purpose of closed-circuit television (CCTV) systems in physical security?
- Which security control scenario correctly matches the control type with its function?
- A security analyst reviews system logs each morning to identify any unusual activity that occurred overnight. What type of control does…
- Which security control classification scheme categorizes controls based on WHEN they act relative to a security incident?
- Which of the following is the PRIMARY purpose of a detective control?
- Which type of security control is primarily designed to identify that a security event has occurred?
- Which of the following BEST describes the role of CCTV in a comprehensive physical security program?
- Corrective controls fix the damage and restore operations
A corrective control acts after an event to repair harm and return to normal. Restoring files from backup, removing malware, and applying a patch that closes the exploited hole are corrective. Recovery controls are a closely related, broader restore-to-operations idea that overlaps corrective.
6 questions test this
- An organization implements data backups to support recovery operations after a ransomware attack. What type of control does this represent?
- After discovering a malware infection, an organization restores affected systems from known-good backups. Which control type is being…
- After a ransomware attack encrypts critical files, an organization restores its data from backup tapes stored offsite. The backup system…
- Which of the following is an example of a corrective security control?
- Which security control classification scheme categorizes controls based on WHEN they act relative to a security incident?
- After a ransomware attack encrypted critical files, an organization restored its systems using data backups. This recovery action is an…
- Deterrent controls discourage an attacker from trying
A deterrent control reduces the will to attack rather than the ability. A visible surveillance sign, a guard at the gate, and login warning banners are deterrent because they make a target look harder or riskier. Deterrence works on the attacker's decision, so a control nobody can see does not deter.
- One control can fill more than one function at once
Functions are not exclusive, so a single control can do several jobs. A security guard physically deters an intruder at the gate, detects one on the cameras, and prevents entry at the door. When a stem asks for the primary function, pick the effect the scenario emphasises rather than insisting on a single label.
- A compensating control substitutes for one that will not fit
A compensating control is an alternative safeguard used in lieu of a recommended control that cannot be implemented as written, and it must give equivalent or comparable protection. It is triggered by a real constraint, such as a legacy system that cannot run encryption or accept multi-factor authentication, not by convenience. Wrap the gap in other safeguards, for example isolating the legacy system on its own monitored network segment.
Trap Picking a compensating control to save effort or money on a control that could be implemented; it is justified only when the recommended control genuinely cannot be deployed.
9 questions test this
- What requirement must a compensating control satisfy to be considered acceptable?
- An organization has a legacy system that cannot support modern session timeout controls. Which action demonstrates proper use of…
- A small organization cannot implement separation of duties due to limited staffing resources. Which is a valid compensating control…
- Under what circumstance is it appropriate for an organization to implement a compensating control instead of the primary control specified…
- When an organization cannot implement a recommended security control from an established baseline, what is the PRIMARY purpose of…
- A small organization cannot implement segregation of duties due to limited staff. Which compensating control approach would be most…
- When an organization cannot implement a required technical security control due to system limitations, which approach should be taken?
- What is the PRIMARY requirement for a compensating control to be considered valid according to risk management frameworks?
- A small organization cannot implement separation of duties due to limited staffing. Which combination of compensating controls would BEST…
- Document why the recommended control could not be used
Every compensating control should be recorded together with the reason the original control could not be implemented and how the substitute reaches comparable protection. The documentation makes the risk decision traceable later and is part of what distinguishes a legitimate compensating control from a quietly skipped one.
- Defense in depth layers independent controls so one failure is not fatal
Defense in depth (layered security) stacks multiple controls across different layers so an attacker who defeats one still faces the others. NIST frames it as integrating people, technology, and operations to set up barriers across multiple layers, which is why mixing control types around one asset strengthens the stack. A badge reader, network segmentation, and a least-privilege policy each guard the same database by a different route.
23 questions test this
- What is the PRIMARY benefit of implementing multiple security controls at different layers within an organization?
- Which of the following BEST describes why organizations implement multiple layers of physical security controls at their facilities?
- Which security strategy integrates people, technology, and operations capabilities to establish multiple barriers across an organization?
- Which of the following BEST describes the primary purpose of a defense in depth strategy?
- How does implementing a defense in depth strategy affect attackers attempting to compromise an organization's systems?
- Which statement BEST describes the purpose of using heterogeneous security technologies in a defense in depth strategy?
- An organization relies solely on a perimeter firewall to protect its network. Why does this approach fail to follow defense in depth…
- Which three elements does a defense in depth strategy integrate to establish variable barriers across multiple layers of an organization?
- Which combination represents the three dimensions that defense in depth integrates to protect organizational information systems?
- An organization wants to protect its sensitive database server. Which approach BEST demonstrates defense in depth?
- How does a defense in depth strategy benefit an organization when facing sophisticated attackers?
- In a defense in depth strategy, what is the primary benefit of implementing security controls at multiple layers of an organization's…
- According to NIST, defense in depth is an information security strategy that integrates which three elements?
- Which of the following scenarios BEST demonstrates a layered security approach consistent with defense in depth principles?
- In a defense in depth strategy, what happens when an attacker successfully bypasses one security control?
- Which security principle is MOST closely related to defense in depth?
- A security architect is designing a defense in depth strategy. Which combination of control types should be included for comprehensive…
- What is the PRIMARY purpose of implementing a defense in depth strategy?
- A security architect is explaining why the organization should not rely solely on perimeter defenses. Which statement BEST supports…
- What is the PRIMARY purpose of using multiple layers of physical barriers such as fences, gates, and locked doors around a facility?
- How does a defense in depth strategy help organizations defend against advanced persistent threats (APTs)?
- What is a PRIMARY benefit of implementing a defense in depth strategy?
- A security analyst is explaining why relying on a single firewall to protect the network is insufficient. Which defense in depth principle…
- Layers only count if they fail independently
Real depth requires controls that fail for different reasons; two controls sharing a single point of failure fail together and count as one layer, not two. A firewall and a VPN that both authenticate against the same identity store are a single layer, because cracking that one store gets past both. A physical lock is not bypassed by a stolen password, which is why mixing types creates genuine independence.
Trap Counting many controls that share one credential store or one chokepoint as deep defense; the shared dependency means a single failure removes them all at once.
4 questions test this
- What is the PRIMARY benefit of implementing multiple security controls at different layers within an organization?
- Which statement BEST describes the purpose of using heterogeneous security technologies in a defense in depth strategy?
- An organization relies solely on a perimeter firewall to protect its network. Why does this approach fail to follow defense in depth…
- Which of the following scenarios BEST demonstrates a layered security approach consistent with defense in depth principles?
- More controls is not the same as more layers
Adding safeguards that all depend on one thing does not deepen defense, because they collapse together. Defense in depth is measured in independent layers, not in the raw number of controls. When a stem lists several controls that hinge on one admin account or one gateway, the correct read is that it is not effective defense in depth.
- Security awareness training exists to change human behavior against attacks
Awareness training reduces risk by teaching employees to recognize and respond to threats like phishing and social engineering, addressing the human element that attackers find easier to exploit than technology. Best practice runs it at hire and at least annually, with role-based training for higher-risk jobs.
Trap Treating training as a one-time onboarding checkbox rather than an ongoing program with annual refreshers.
13 questions test this
- What is the primary purpose of security awareness training within an organization?
- Which statement BEST describes the primary purpose of a security awareness program?
- An organization wants to help employees recognize and respond to social engineering attacks. Which training topic should be prioritized?
- Which activity is considered a key component of an effective security awareness program?
- According to best practices, how frequently should security awareness training be conducted at minimum?
- An organization wants to measure the effectiveness of its security awareness program. Which metric provides the BEST indication of actual…
- Which social engineering attack method should be a PRIMARY focus of security awareness training based on current threat intelligence?
- What is the PRIMARY purpose of security awareness training for employees?
- Why are phishing simulations considered an effective component of security awareness programs?
- Why is security awareness training particularly important for protecting against social engineering attacks?
- A security team is developing a program to help employees recognize and report phishing attempts. Which concept BEST describes this…
- What type of security control is security awareness training classified as?
- Why is it important for security awareness training to include social engineering recognition?
- Phishing simulations measure and reinforce awareness by tracking click rates over time
Simulated phishing exercises give employees safe practice and let the organization measure behavior change through the click rate (phish-prone percentage). A falling click rate, and just-in-time training for those who fail, indicate the program is working.
Trap Using training-completion counts as the success metric instead of the simulated-phishing click rate that reflects actual behavior.
8 questions test this
- An organization conducts simulated phishing exercises and provides immediate training when employees click on suspicious links. What is…
- An organization wants to measure the effectiveness of its phishing awareness training program. Which metric would BEST indicate improvement…
- Which activity is considered a key component of an effective security awareness program?
- How can an organization measure the effectiveness of its security awareness training program?
- An organization wants to measure the effectiveness of its security awareness program. Which metric provides the BEST indication of actual…
- Why are phishing simulations considered an effective component of security awareness programs?
- An organization wants employees to recognize and report phishing attempts. Which administrative control would BEST achieve this objective?
- What is the PRIMARY reason organizations include phishing simulations in their security awareness training programs?
- An IDS only alerts; an IPS can actively block the threat
Per NIST SP 800-94, the defining difference is that an IPS can respond to a detected threat by attempting to prevent it from succeeding, while an IDS passively monitors and alerts. A host-based system (HIDS) watches one host's logs and events; an IPS is often deployed in detection-only mode first to tune out false positives before it blocks live traffic.
Trap Assuming a false negative (a missed real attack) is the harmless error, when it is the dangerous one because no alert is raised.
5 questions test this
- Which of the following BEST describes the defining characteristic that differentiates an intrusion prevention system (IPS) from an…
- What is the primary data source monitored by a host-based intrusion detection system (HIDS)?
- What is the primary reason an organization might initially deploy an Intrusion Prevention System (IPS) in detection-only mode?
- Which characteristic distinguishes an intrusion prevention system (IPS) from an intrusion detection system (IDS)?
- What type of intrusion detection system monitors traffic on an individual computer or device?
- A mantrap admits one authenticated person at a time to stop tailgating
A mantrap is two interlocking doors where the first must close before the second opens, so only one authenticated person passes and tailgating is prevented. Visitor sign-in, escort badges, and escorts distinguish authorized staff from visitors, and a lost access badge should be disabled immediately.
Trap Treating a badge reader on a single door as tailgating protection, when nothing stops a second person from following through.
3 questions test this
- What is the PRIMARY purpose of requiring visitors to sign in, receive an escort badge, and be accompanied by an employee at all times?
- Which physical security control is specifically designed to prevent tailgating by allowing only one person to pass through at a time?
- An employee loses their access badge used to enter secure areas of the facility. What should be the FIRST action taken by security…