Learning Topic

Security Controls

The goal of IT security is to protect the people, property, and data assets of the organization. Organizations use security controls to minimize risks to those assets. Security controls can be classified by type: physical, technical, or administrative. All three are necessary for robust security (Walkowski, 2019).

Physical Controls

Physical controls involve security measures that safeguard and protect physical assets against unauthorized access, damage, loss, or theft from natural and man-made events. Examples of physical controls include fences, gates, security guards, lighting, closed-circuit surveillance, motion sensors, access control systems (biometrics, access cards), and locked and dead-bolted steel doors

Among physical controls, the use of personnel can be effective, but it is also the most expensive countermeasure to reduce physical security risks. Ouyang (2012) states that security guards can be used to:

· check credentials at entry points 

· ensure company property does not leave facility

· monitor intrusion detection systems

· verify doors and windows are locked

· watch for suspicious activity 

Technical Controls

Technical controls, also called logical controls, use technology to restrict the access and usage of sensitive data. Examples of some of the hardware and software used for technical controls includes include authentication solutions, firewalls, antivirus software, encryption, and intrusion detection and protection systems. 

Administrative Controls

Administrative or procedural security controls involve the procedures and policies that define and guide employees and users when dealing with the organization’s assets. This includes employee training and awareness programs, hiring and termination policies, data classification, equipment and internet usage guidelines, separation of duties, and disaster preparedness and recovery plans (Walkowski, 2019).

Compensating Controls

There is an additional category of controls called compensating or alternative controls. These are physical, technical and/or administrative controls employed by an organization in lieu of a recommended security control. These security measures are used to prevent a gap in IT compliance when the security requirements are too difficult or impractical to implement due to legitimate technological or business constraints (Bisson, 2016).

For example, organizations ideally should have two or more staff members complete separate parts of certain tasks such as developing and testing a security system. This will prevent fraud and employee error so that no single person has sole accountability for the task. 

However, if an organization has a very small staff, it might need to have one employee complete the task. To compensate, the organization may implement a compensating or alternative control such as having that one employee maintain detailed logs and give reports to an audit committee or hiring a third party to monitor the process (Reeds, 2017).


Bisson, D. (2016).Compensating controls: An impermanent solution to an IT compliance gap. Tripwire. https://www.tripwire.com/state-of-security/security-data-protection/compensating-controls/ 

Ouyang, A. (2012).  Physical (environmental) security domain [PowerPoint slides]. CISSP Common Body of Knowledge Review. https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=2ahUKEwi4h7mKxoXmAhUE11kKHac2AqgQFjACegQIAxAC&url=http%3A%2F%2Fopensecuritytraining.info%2FCISSP-6-PS_files%2F6-Physical_Security.pdf&usg=AOvVaw3RNR5kwdnhG-1tHRQYeH9Z

Reeds, C. (2017). Separation of duties and IT security [Blog post].  https://blogs.dnvgl.com/energy/separation-of-duties-and-it-security 

Walkowski, D. (2019). What are security controls? An overview of the types of countermeasures security practitioners use to reduce risk. F5. https://www.f5.com/labs/articles/education/what-are-security-controls