The three types of access control offer different levels of protection, and each can be configured based on the needs of the organization. This affords the security administrator extensive discretionary control over security mechanisms and reinforces the organization’s security as a whole. The main objective of security control mechanisms is to prevent, identify, or recover from problems.
- Preventive controls are used to impede breaches of security or invasive attacks on the system.
- Detective controls scan the system for harmful agents.
- Corrective controls repair the systems from damaging attacks.
To apply these measures, controls can be administrative, technical, and physical.
- Administrative controls are the rules and procedures implemented by the organization. Security awareness training, password administration, background checks are preventive administrative controls.
- Technical controls are instrumental in protecting the IT infrastructure. These include the restriction of access to systems through user authentication, network segmentation, and protecting information through encryption and antivirus programs.
- Physical controls protect organizations against theft, loss, and unauthorized access. These include: alarm systems, gated entries, locks, guard dogs, video monitoring systems; the securing of computer equipment; management of cabling infrastructure.
Preventive and detective control types can be integrated with administrative, technical and physical applications to create the following pairings:
- Preventive administrative controls, which deal with the functions that support the access control objectives and includes structural policies and procedures, background checks, contractual agreements, employee termination procedures, user security training, behavior standards, and user-permission procedures to obtain access to networks and data.
- Preventive technical controls, which implement technology to execute access control policies. These controls can be built into an operating system, administered through software applications, or supporting hardware/software. Some common preventive/technical controls are: Anti-malware software, authentication methods such as biometrics, tokens, and passwords, hardened user interfaces, etc.
- Preventive physical controls are programmed to restrict physical access to areas with systems holding confidential information or areas that are used for storage of the backup data files. Often a protective border is in place to block unwanted access to the restricted area.
- Detective administrative controls can be implemented for prevention of future security violations or to detect existing violations. The mechanisms implemented by this control pairing are mandatory user training, least privilege, separation of duties, policies / procedures, random and regular audits.
- Detective technical controls, which use technical processes to detect breaches of security policy. These processes include intrusion detection systems and automatically-generated violation reports from audit trail information. These reports can show modifications of normal operation procedures to detect known records of unauthorized access. Audit records should be protected at the highest level of security in the system because of their critical informational value.
- Detective physical controls rely on sensors or cameras to detect a violation. These devices still rely on human discernment to determine if the violation is authentic.