Physical controls are tangible protections implemented to safeguard hardware and facilities from unauthorized access or damage. These include barriers such as locks, fences, biometrics, surveillance systems, and guards. Their primary function is to prevent physical intrusion that could lead to data breaches or equipment theft. These controls are essential in controlling access to sensitive areas, ensuring that only authorized personnel can reach critical infrastructure components.

Physical controls play a role in disaster recovery planning by safeguarding backup systems and maintaining continuity during power outages or natural disasters. Environmental monitoring systems also fall under this category, protecting assets from temperature fluctuations, humidity, and other conditions that might compromise equipment integrity.

Physical Controls

Technical controls use technology to protect information systems and networks from cyber threats. These include tools like firewalls, encryption, antivirus software, intrusion detection systems, and access controls. They automate the process of monitoring and responding to cyber threats, managing the vast volume of data and potential vulnerabilities. Technical controls are often the first line of defense in identifying and mitigating threats.

Technical controls adapt to new threats, often through regular updates and patches that address known vulnerabilities. This adaptability is crucial, especially in environments experiencing rapid technological changes or facing sophisticated cyber-attacks. Continual assessment and fine-tuning are necessary to maintain the efficacy of these technical measures.

​​Technical Controls

Administrative controls involve policies, procedures, and practices that manage the security framework within an organization. These include security policies, training programs, access management, and risk assessments designed to guide personnel on best practices for data protection. Administrative controls set the organizational tone, influencing the security culture and ensuring compliance through structured oversight.

Administrative controls are critical for incident response planning and executing regular security audits. They establish roles and responsibilities, ensuring everyone understands their part in maintaining security. By emphasizing employee training and adherence to security policies, these controls reduce human error and improve the overall effectiveness of security measures.

​​Administrative Controls

• Fences

• Doors

• Locks

• Cameras

• Security guards

• Protective barriers

• Access control

• Perimeter intrusion detection

• Deterrent systems

• Fire protection

​

​Physical Controls

Technical Controls

Tools and systems used to protect sensitive information from cyber threats. They use software and hardware to defend digital data. Examples of technical controls include encryption, firewalls, anti-virus software, and data backups.

Administrative Controls

Prevention, Correction, Determent, Compensation

Include policies, procedures, and guidelines to manage and secure assets. Examples include security training, least privilege policies, incident response plans, and personnel management controls.

Critical Administrative Controls

Now that we have defined the goals of our security controls, we can get to the real meat and potatoes of this post. Administrative controls are vitally important for a company’s defenses but are often the most overlooked control. Almost all security actions come from an administrative decision at some point. Nothing happens within a vacuum. But some of the more complex goals and examples are rarely even entertained until it is too late. Below we will define a few of the most critical administrative controls and the categories in which they fit. Remember that a single solution will likely fit into multiple control categories and goals so we will simply emphasize certain examples below.

Administrative Control – Corrective

Incident Response Plan - This is the big one. Incident Response Plans are a corrective administrative control that provides incalculable value in the form of disaster preparedness. It is fairly common knowledge that companies need a plan when dealing with an incident, but very few companies have documentation that details their exact goals and strategy should an incident occur. “How did this happen? Who should we call? How long have the attackers been in our network? What have they taken?” These questions may have extremely complex answers that require full-fledged investigations. Obviously not every business can afford an Incident Response Team that is available 24/7. However, every single business can afford to take the time to develop a solid Incident Response Plan.

Administrative Control – Detective

Auditing – Most products contain thorough logs that allow owners to audit the users and data involved with the system. By setting up a regular review of these events, companies may detect an attack that was never seen by other tools. For example, reviewing badge-reader access logs to a restricted area may reveal evidence of a potential incident.

Administrative Control – Preventative

User Training – As technology gets better and better, the human has proved to be the weakest link in the chain. Attackers have started targeting employees for easy access into the most critical assets. User training helps combat this strategy by shoring up defenses where they matter most. The best training engages users with timely exercises and simulations in order to drive home the effectiveness of some of the new attack techniques.

Administrative Control – Determent

“Bug Bounty” – This control falls under many categories, but we feel it is administrative-focused on deterring negative behavior. Placing a large bounty for outside users that discover security threats helps to incentivize attackers by giving rewards when vulnerabilities are discovered. Without a system to reward the discovery of a vulnerability, the attackers may launch an actual attack instead of reporting the issue.