There are three primary areas or classifications of security controls. These include management security, operational security, and physical security controls.
What is Management Security?
Management security is the overall design of your controls. Sometimes referred to as administrative controls, these provide the guidance, rules, and procedures for implementing a security environment.
What is Operational Security?
Operational Security is the effectiveness of your controls. Sometimes referred to as technical controls, these include access controls, authentication, and security topologies applied to networks, systems, and applications.
What is Physical Security?
Physical security is the protection of personnel, data, hardware, etc., from physical threats that could harm, damage, or disrupt business operations or impact the confidentiality, integrity, or availability of systems and/or data.
An effective information security program includes controls from each area. Controls are selected based on the organization’s determination of risk and how it chooses to address each risk. For a given risk, controls from one or more of these areas may be applied. For example, an organization may identify the risk of unauthorized access to sensitive data stored on an internal database server. The organization might then apply physical security controls to restrict access to the building, operational security controls to prevent and detect unauthorized login to the server, and management security controls to define who is authorized to access the data. Risk is unique to each organization, therefore the controls designed to address a given risk will be unique as well.
LBMC Information Security provides strong foundations for risk-management decisions. We design our security risk assessments to arm your organization with the information it needs to fully understand your risks and compliance obligations. Learn more about our Risk Assessments / Current State Assessments.