This one is another foundational concept you might need to master. Or even if you are already a cybersecurity field expert, revisiting all these control types is always useful to avoid getting rusty on the very basic stuff.

So let's go into the matter right away!

In order to avoid confusion we are going to define the categories first:

Administrative Controls: Sometimes also referred to as directive controlsThese ones focus on organisational policies (also the company culture), processes, guidelines that define how security is defined and managed within the organisation. Taking in account roles and responsibilities, security training, awareness and risk assessment.

Technical Controls: Directly related to technology to enforce security policies (yes the Administrative controls). These controls include firewalls, intrusion detection systems, encryption, access control mechanisms, and authentication mechanisms like biometrics.

Physical Controls: Very basic stuff that most people forget to include in the Information Security Assessments or strategies. Physical controls are measures taken to secure physical access to sensitive areas, hardware, and facilities. Think in locked doors, security cameras, biometrics, and environmental: temperature regulation.

Easy peasy, right? Now lets see those in relation with their functionality:

Detective Controls: Detective controls are designed to identify and detect security incidents after they have occurred. The most common is the security information and event management (SIEM) system.

Preventive Controls: Goal here is to stop security incidents from occurring. This can include access control mechanisms, firewalls, data encryption, and security awareness training. Yes, a little bit of everything.

Compensating Controls: The alternative measures put in place when the primary control is not feasible (because of the cost mostly) or practical. Mitigate risks even though they might not directly address the root cause of the risk.

Corrective Controls: So maybe we do not take into account cybersecurity since design. Sh*t happens. Now what? Corrective controls are put in place to address vulnerabilities or weaknesses identified during security assessments or incidents. Fixing or mitigating the impact of security breaches.

Administrative Technical Controls (ATC): Hybrid of administrative and technical controls to create comprehensive security strategies. Where the theory meets the practice. 

Deterrent controls. To discourage a potential attacker.

Recovery. Think in technical controls such as backups, but also in administrative ones: Disaster Recovery Plan.

Here are three real-world examples for each of the information security control types:

1. Administrative Controls:

• Security Policies and Procedures: An organisation might have a policy that mandates regular password changes and enforces the use of strong passwords. This procedure helps prevent unauthorized access to systems.
• Security Awareness Training: Regular training sessions for employees on topics like phishing awareness and social engineering can help raise awareness about potential security risks.
• Access Control Policies: Organisations can define who has access to specific resources based on their roles. For instance, only IT administrators may have access to critical servers.

2. Technical Controls:

• Firewalls: Firewalls are used to filter incoming and outgoing network traffic. They prevent unauthorized access and can be configured to block certain types of traffic or applications.
• Encryption: Using encryption algorithms to protect sensitive data, such as encrypting data transmitted over the internet using SSL/TLS protocols.
• Intrusion Detection System (IDS): IDS monitors network traffic for signs of malicious activities and alerts administrators if suspicious behaviour is detected.

3. Physical Controls:

• Biometric Access Control: Using fingerprint or retina scans to grant access to secure areas within an organisation's premises.
• Security Cameras: Installing surveillance cameras to monitor entrances, exits, and other critical areas, providing evidence in case of security incidents.
• Secure Data Center Locations: Placing data centres in physically secure locations with restricted access to authorised personnel only.

4. Detective Controls:

• Security Information and Event Management (SIEM) System: Collects and analyses log data from various sources to identify and respond to security incidents in real time.
• Intrusion Detection System (IDS): Not only does it prevent unauthorized access, but it also detects and alerts administrators about potential security breaches.
• Security Auditing and Logging: Maintaining detailed logs of system and user activities for later analysis and investigation.

5. Preventive Controls:

• Access Control Mechanisms: Limiting user access to only the resources and data necessary for their roles to reduce the risk of unauthorized access.
• Firewalls and Network Segmentation: Using firewalls and network segmentation to isolate sensitive data from less secure parts of the network.
• Antivirus and Antimalware Software: Protecting systems from malware by scanning files and processes for known malicious patterns.

6. Compensating Controls:

• Two-Factor Authentication (2FA): If a primary authentication method is compromised, a second authentication factor provides an extra layer of security.
• Data Loss Prevention (DLP) Solutions: While it's not always possible to prevent all data leaks, DLP solutions can help monitor and restrict the movement of sensitive data.
• Virtual Private Network (VPN): If secure physical access to a network is challenging, a VPN can provide a secure encrypted tunnel over an insecure network, like the internet.

7. Directive Controls:

• Acceptable Use Policy: An organisation-wide policy defining how employees can use company resources and systems.
• Password Policy: Guidelines on password complexity, expiration, and usage.
• Data Classification Policy: Defining how different types of data should be handled, stored, and shared.

8. Corrective Controls:

• Patch Management: Regularly applying software patches and updates to fix vulnerabilities and weaknesses.
• Incident Response Plan: Having a plan in place to respond to security incidents and mitigate their impact.
• Backup and Disaster Recovery Plans: Ensuring that critical data can be recovered in case of data loss or system compromise.

9. Administrative Technical Controls (ATC):

• Role-Based Access Control (RBAC): Combining administrative policies that define roles with technical implementations that enforce those roles to control access to resources.
• Encryption Policy: Administrative policy outlining which data should be encrypted and the encryption methods to be used, combined with technical encryption mechanisms.
• Mobile Device Management (MDM) Policy: Aligning administrative guidelines with technical solutions to manage and secure mobile devices used within an organisation.

Sources and further reading

Harris, Shon & Maymí, Fernando. CISSP EXAM GUIDE Seventh Edition. New York McGraw Hill Education, 2016.

CSRC Content Editor. (n.d.). security controls - Glossary | CSRC. https://csrc.nist.gov/glossary/term/security_controls