Domain 1 of 5 · Chapter 3 of 5

Security Controls

What a control is, and the three types

Picture one server room. A locked door keeps strangers out, a firewall keeps hostile traffic out, and a written policy keeps staff from propping the door open. Three very different safeguards, one job: lower the risk to the data inside. That shared job is what makes each of them a security control, a safeguard or countermeasure put in place to protect the confidentiality, integrity, and availability[1] of information and systems.

Controls are easiest to learn when you sort them by how they are carried out. The CC outline uses three types.

  • Technical controls (also called logical controls) are enforced by the system itself, through hardware, software, or firmware[2]. Encryption, firewalls, access-control lists, antivirus, and intrusion-detection systems are technical controls. If a machine does the enforcing, it is technical.
  • Administrative controls (also called managerial controls) are the policies, procedures, and human practices that direct how people behave. A security policy, a background check before hiring, separation of duties, and a security-awareness program are administrative controls. If the control works by telling people what to do, it is administrative.
  • Physical controls protect the tangible world. Fences, locks, badge readers, mantraps, security guards, CCTV cameras, and fire-suppression systems are physical controls. If you could touch it or walk into it, it is physical.

The federal standard FIPS 200[1] draws the same map with slightly different labels, calling controls management, operational, and technical. The two schemes line up closely: management and operational map onto the CC "administrative" idea, technical stays technical, and physical controls sit inside the operational group. For the CC exam, learn the three everyday names, technical, administrative, and physical, and treat FIPS 200 as the formal source they come from.

The single most common beginner error is to assume one type is "the security stuff" and the others are paperwork. They are equals. Most real safeguards need all three working together, which is why the type tells you who or what does the work, not how important the control is.

Technical (logical)enforced by the systemEncryptionFirewallAccess-control listAdministrativedirects how people actSecurity policyBackground checkAwareness trainingPhysicalprotects the tangible worldLock and badge readerSecurity guardCCTV cameraSort by how the control is enforced, not by how important it is
The three CC control types as groups of examples, mapped to FIPS 200's management, operational, and technical controls.

Type versus function, and compensating controls

Once you can name a control's type, a second question follows: what does it actually accomplish? That is the control's function, and it is a separate axis from type. Type asks how the control is built; function asks what it does about a threat.

The functional categories

CC keeps the function list short and practical:

  • Preventive controls stop an unwanted event before it happens. A firewall that blocks a connection and a door lock that bars entry are both preventive.
  • Detective controls notice an event while it happens or after the fact. An intrusion-detection system, a reviewed audit log, and a CCTV recording are detective.
  • Corrective controls fix the damage and bring things back to normal after an event. Restoring files from backup and removing malware are corrective.
  • Deterrent controls discourage an attacker from trying in the first place. A visible "Premises under surveillance" sign, a guard at the gate, and warning banners are deterrent.

You may also meet recovery controls (a broader restore-to-operations idea that overlaps corrective) and directive controls (orders that steer behavior, such as a policy). Keep the four above as your core set for CC.

The two axes are independent

Because type and function are separate, any type can serve any function. The same control can even cover more than one function at once: a security guard physically deters an intruder, detects one on the cameras, and prevents entry at the door. So when a question gives you a scenario, read it twice, once for the mechanism (to get the type) and once for the goal (to get the function). A classic stem describes a fence and asks for its category; a fence is a physical control by type, and most often a deterrent by function.

Compensating controls

Sometimes the control you would prefer simply will not fit. A compensating control[3] is an alternative safeguard used in lieu of a recommended control, chosen because it provides equivalent or comparable protection when the original cannot be implemented as written. The trigger is a real constraint, not convenience: a legacy medical device that cannot run modern encryption, an old application that cannot accept multi-factor authentication, or a budget that rules out a preferred tool. The fix is to wrap the gap in other safeguards that reach a similar level of protection, for example isolating the legacy device on its own network segment with tight monitoring. A compensating control should always be documented with the reason the recommended control could not be used, so the decision is traceable later.

Function (what it does)Example control and its typePreventiveFirewall blocks a connectiontechnicalDetectiveAudit-log review spots misuseadministrativeCorrectiveRestore files from backuptechnicalDeterrentGuard or warning sign at the gatephysical
Type and function are independent axes: each function below is met by a different type, so any type can fill any function.

Combining controls: defense in depth

No single control is perfect, so strong security stacks several. Defense in depth is the strategy of layering multiple, independent controls so that an attacker who defeats one still has to get past the others. NIST describes it as integrating people, technology, and operations[4] capabilities to set up variable barriers across multiple layers, which is exactly the case for mixing the three control types around one asset.

Think of a database of customer records. A badge reader on the data-center door is a physical layer. Network segmentation and a firewall in front of the database are technical layers. A least-privilege access policy and mandatory awareness training are administrative layers. An attacker now has to beat a lock, then a firewall, then a permissions model, each by a different route. That mix of types is what makes the stack hard to clear.

Layers must be independent

The one rule that turns "more controls" into real depth is independence. Two controls that share a single point of failure fail together and count as one layer, not two. If your firewall and your VPN both authenticate against the same identity store, then cracking that one store gets past both at once, so they are really a single layer. Genuine depth comes from layers that fail for different reasons: a physical lock is not bypassed by a stolen password, and an awareness-trained employee is not fooled by a firewall misconfiguration.

How exam questions phrase it

Exam stems describe a setup with several safeguards in a row and ask which principle is at work; the answer is defense in depth, also called layered security. A trickier version lists controls that all depend on one thing (one admin account, one gateway) and asks whether that is good defense in depth. It is not, because the shared dependency means a single failure removes them all. Watch for the difference between many controls and many independent layers; only the second is defense in depth.

Physical layerbadge reader on the data-center doorTechnical layerfirewall and network segmentationAdministrative layerleast-privilege policy, trainingCustomer databaseattacker must clear every layer
Defense in depth: independent layers of different control types around one asset, modeled on NIST's people, technology, and operations layering.

The three security control types (how a control is implemented)

Control typeTechnical (logical)Administrative (managerial)Physical
How it is enforcedHardware, software, or firmware in the systemPolicies, procedures, and human practicesTangible barriers and the physical environment
Who or what actsThe information system itselfPeople following management directionPhysical objects, sites, and personnel on site
Typical examplesEncryption, firewalls, access-control lists, IDS, antivirusSecurity policy, background checks, awareness training, separation of dutiesLocks, fences, badge readers, guards, CCTV, fire suppression
FIPS 200 groupingTechnicalManagement and operationalOperational (physical and environmental)
Fails whenMisconfiguration, software flaw, or bypassPeople ignore or do not know the policyBarrier is breached, tailgated, or unmonitored

Decision tree

Does a machine enforce it?hardware, software, firmwareTechnical (logical)encryption, firewall, ACLYesDoes it direct people?policy, procedure, practiceNoAdministrativepolicy, background checkYesA tangible barrier?site, object, environmentNoPhysicallock, guard, CCTVYesRe-read for the mechanismclassify by the primary oneNoType tells you how a control is enforced; ask its function separately

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A security control is any safeguard that protects CIA

A security control is a safeguard or countermeasure put in place to reduce risk and protect the confidentiality, integrity, and availability of information and systems. A door lock, a firewall rule, a password policy, and a nightly backup are all controls despite looking nothing alike, because each lowers risk to the same asset. FIPS 200 formally groups controls as management, operational, and technical.

Classify a control by how it is enforced: technical, administrative, or physical

The three control types describe the mechanism that does the work, not how important the control is. Technical (logical) controls are enforced by hardware, software, or firmware; administrative (managerial) controls are policies, procedures, and human practices; physical controls are tangible barriers and the environment. Most real safeguards need all three working together around one asset.

Trap Ranking the types so technical counts as the real security and the others as paperwork; they are equals and usually all apply to one asset.

2 questions test this
Technical controls are enforced by the system itself

A technical (logical) control is carried out by hardware, software, or firmware rather than by a person. Encryption, firewalls, access-control lists, antivirus, and intrusion-detection systems are technical controls. If a machine does the enforcing, the answer is technical.

1 question tests this
Administrative controls direct how people behave

An administrative (managerial) control works through policy, procedure, and human practice rather than through a machine. A security policy, a pre-hire background check, separation of duties, and a security-awareness program are administrative controls. If the safeguard tells people what to do, classify it administrative.

Trap Calling a policy that requires encryption a technical control; the written rule directing people is administrative, even though the thing it mandates is technical.

5 questions test this
Physical controls protect the tangible world

A physical control acts on the physical environment: fences, locks, badge readers, mantraps, security guards, CCTV cameras, and fire-suppression systems. If you could touch it or walk into it, it is physical. Environmental safeguards like HVAC and fire suppression count here too because they protect the site and equipment.

1 question tests this
Type and function are separate, independent axes

A control's type (technical, administrative, physical) describes how it is built; its function describes what it does about a threat. The two are independent, so any type can serve any function: a fence (physical) deters, a firewall (technical) prevents, an audit-log review (administrative) detects. Exam stems often want both answers, so read the scenario once for the mechanism and once for the goal.

Trap Assuming a control's type fixes its function, so a firewall is always preventive; the same firewall can be preventive or detective depending on how it is used.

1 question tests this
Preventive controls stop an event before it happens

A preventive control blocks an unwanted event from occurring at all. A firewall that drops a connection, a door lock that bars entry, and enforced strong-password rules are preventive. Preventive is the function exam stems describe with verbs like block, bar, or stop.

10 questions test this
Detective controls notice an event during or after it

A detective control identifies an event while it happens or after the fact, but does not stop it on its own. Intrusion-detection systems, reviewed audit logs, and CCTV recordings are detective. The signal in a stem is that the control records, alerts, or reveals rather than blocks.

Trap Treating a recording CCTV camera as preventive; on its own it only detects, the deterrent or preventive effect comes from the visible presence or a guard acting on it.

9 questions test this
Corrective controls fix the damage and restore operations

A corrective control acts after an event to repair harm and return to normal. Restoring files from backup, removing malware, and applying a patch that closes the exploited hole are corrective. Recovery controls are a closely related, broader restore-to-operations idea that overlaps corrective.

6 questions test this
Deterrent controls discourage an attacker from trying

A deterrent control reduces the will to attack rather than the ability. A visible surveillance sign, a guard at the gate, and login warning banners are deterrent because they make a target look harder or riskier. Deterrence works on the attacker's decision, so a control nobody can see does not deter.

One control can fill more than one function at once

Functions are not exclusive, so a single control can do several jobs. A security guard physically deters an intruder at the gate, detects one on the cameras, and prevents entry at the door. When a stem asks for the primary function, pick the effect the scenario emphasises rather than insisting on a single label.

A compensating control substitutes for one that will not fit

A compensating control is an alternative safeguard used in lieu of a recommended control that cannot be implemented as written, and it must give equivalent or comparable protection. It is triggered by a real constraint, such as a legacy system that cannot run encryption or accept multi-factor authentication, not by convenience. Wrap the gap in other safeguards, for example isolating the legacy system on its own monitored network segment.

Trap Picking a compensating control to save effort or money on a control that could be implemented; it is justified only when the recommended control genuinely cannot be deployed.

9 questions test this
Document why the recommended control could not be used

Every compensating control should be recorded together with the reason the original control could not be implemented and how the substitute reaches comparable protection. The documentation makes the risk decision traceable later and is part of what distinguishes a legitimate compensating control from a quietly skipped one.

1 question tests this
Defense in depth layers independent controls so one failure is not fatal

Defense in depth (layered security) stacks multiple controls across different layers so an attacker who defeats one still faces the others. NIST frames it as integrating people, technology, and operations to set up barriers across multiple layers, which is why mixing control types around one asset strengthens the stack. A badge reader, network segmentation, and a least-privilege policy each guard the same database by a different route.

23 questions test this
Layers only count if they fail independently

Real depth requires controls that fail for different reasons; two controls sharing a single point of failure fail together and count as one layer, not two. A firewall and a VPN that both authenticate against the same identity store are a single layer, because cracking that one store gets past both. A physical lock is not bypassed by a stolen password, which is why mixing types creates genuine independence.

Trap Counting many controls that share one credential store or one chokepoint as deep defense; the shared dependency means a single failure removes them all at once.

4 questions test this
More controls is not the same as more layers

Adding safeguards that all depend on one thing does not deepen defense, because they collapse together. Defense in depth is measured in independent layers, not in the raw number of controls. When a stem lists several controls that hinge on one admin account or one gateway, the correct read is that it is not effective defense in depth.

Security awareness training exists to change human behavior against attacks

Awareness training reduces risk by teaching employees to recognize and respond to threats like phishing and social engineering, addressing the human element that attackers find easier to exploit than technology. Best practice runs it at hire and at least annually, with role-based training for higher-risk jobs.

Trap Treating training as a one-time onboarding checkbox rather than an ongoing program with annual refreshers.

13 questions test this
Phishing simulations measure and reinforce awareness by tracking click rates over time

Simulated phishing exercises give employees safe practice and let the organization measure behavior change through the click rate (phish-prone percentage). A falling click rate, and just-in-time training for those who fail, indicate the program is working.

Trap Using training-completion counts as the success metric instead of the simulated-phishing click rate that reflects actual behavior.

8 questions test this
An IDS only alerts; an IPS can actively block the threat

Per NIST SP 800-94, the defining difference is that an IPS can respond to a detected threat by attempting to prevent it from succeeding, while an IDS passively monitors and alerts. A host-based system (HIDS) watches one host's logs and events; an IPS is often deployed in detection-only mode first to tune out false positives before it blocks live traffic.

Trap Assuming a false negative (a missed real attack) is the harmless error, when it is the dangerous one because no alert is raised.

5 questions test this
A mantrap admits one authenticated person at a time to stop tailgating

A mantrap is two interlocking doors where the first must close before the second opens, so only one authenticated person passes and tailgating is prevented. Visitor sign-in, escort badges, and escorts distinguish authorized staff from visitors, and a lost access badge should be disabled immediately.

Trap Treating a badge reader on a single door as tailgating protection, when nothing stops a second person from following through.

3 questions test this

Also tested in

References

  1. https://csrc.nist.gov/glossary/term/security_controls
  2. https://csrc.nist.gov/glossary/term/technical_controls
  3. https://csrc.nist.gov/glossary/term/compensating_security_control
  4. https://csrc.nist.gov/glossary/term/defense_in_depth