Implementing Policy-Based Controls
Security policy frameworks and the specific security policies adopted by organizations lay out control objectives that an organization wishes to achieve. These control objectives are statements of a desired security state, but they do not, by themselves, actually carry out security activities. Security controls are specific measures that fulfill the security objectives of an organization. They come in three different categories:
- Physical controls are security controls that impact the physical world. Examples of physical security controls include fences, perimeter lighting, locks, fire suppression systems, and burglar alarms.
- Logical controls are technical controls that enforce confidentiality, integrity, and availability in the digital space. Examples of logical security controls include firewall rules, access control lists, intrusion prevention systems, and encryption.
- Administrative controls are procedural mechanisms that an organization follows to...