Controls: what are they?

What is a control? If you have spent more than five minutes talking to me or my team, we will probably have spoken of “controls”, and probably risk (but let’s stick to controls for this post).

Definition of a control

A control is a change you make to part (or all) of an organisation to reduce its exposure to information risk. For example, you may decide to put sensitive documents into a shredder when they are not needed any longer, rather than putting them in the standard paper recycling. Or you could encrypt files on shared storage, rather than storing them in clear text.

So a policy is NOT a control, but in fact describes a control. For example, you may create a policy stating that all passwords must be at least ten characters long.

Categorising controls

There is a tendency amongst all people who look at security controls to try to fit them into categories. A common set is:

• Physical
• People
• Technical
• Process/organisational

This helps people to understand what thing a control is changing. A physical control, for example, will be a physical change (e.g. putting a lock on a door, or shredding paper). A technical control could be applying security patches to systems within X days. A process control could be performing a security review when a change is planned to a system. A people control could be doing background checks on people who are to be granted access to sensitive information.

Other attributes

There are many other ways of categorising a security control. These can be used as appropriate. Examples include:

• Main purpose: detective, reactive, preventative
• Intended effect on risk: reduction of impact, reduction of likelihood, or both
• Which role(s) it applies to: which are responsible, accountable, consulted and informed
• Which part(s) of the organisation it applies to
• How long it is intended to be in effect for
• What sanctions will apply if it is not applied
• What risk(s) it is intended to affect
• What business process(es) relate to it