What Is a Control?

A control is defined as a measure that modifies or maintains risk.

There are different types of controls.

  1. Preventive controls are designed to prevent an unwanted or unauthorized activity from occurring. They act as the first line of defense in risk mitigation. For example, strong and layered user authentication can prevent unauthorized access.
  2. Detective controls are aimed at being proactive and alerting when an unauthorized or unwanted activity occurs. Detective controls don’t prevent an action, however they can trigger an alert or initiate corrective measures. Example: intrusion detection systems that notify administrators of suspicious activities.
  3. Corrective controls come into play after an incident has occurred. These controls aim to minimize impact to the system and bring it back to a secure state. Examples are data backups and system recovery plans.