In this post, I will briefly discuss the three major types or categories of controls that can be used to defend information systems – namely (1) physical controls, (2) procedural controls, and (3) technical controls. First, physical controls are those controls which seek to prevent an attack through the use of something tangible. Examples of physical controls include mechanisms such as walls, locks, security guards, security cameras, backup copies or real-time replication of data, and the use of natural or man-made disaster-protection devices such as smoke alarms or fire extinguishers.In addition to physical controls, information security personnel can also rely upon procedural and administrative controls to protect information systems. Procedural and administrative controls are guidelines or agreements that require or advise people to act in certain ways with the goal of protecting information assets. Procedural and administrative controls include mechanisms such as laws and local regulations, organizational policies, procedures, or guidelines, methods of protecting intellectual property such as copyrights, patents, or trade secrets, and contracts or other documents that govern the relationship between two or more parties.
Finally, we have technical controls. Technical controls are controls or countermeasures that use technology-based contrivances in order to protect information systems from harm. These can include mechanisms such as passwords, access controls for operating systems or application software programs, network protocols, firewalls and intrusion detection systems, encryption technology, network traffic flow regulators, and so forth. When used together, the adoption of these different types of controls allows for the establishment of a layered defense, and provides the best chance possible of preventing information systems from suffering harm.
You did a very good job on explaining this post, thank you!! It was easy for me to comprehend.
ReplyDelete