Physical, Technical & Administrative Controls

During my journey towards becoming a better cyber security practitioner I found my self bumping into the different security controls an organisation can implement towards a more mature security posture.

This can and should be achieved as best as possible after a risk assessment (Level of Risk = Probability + Impact) in the form of physical, technical and administrative controls; but what era they exactly?

Physical Controls

Physical controls address process-based security needs using physical hardware devices, such as badge readers, architectural features of buildings and facilities, and specific security actions to be taken by people. They typically provide ways of controlling, directing or preventing the movement of people and equipment throughout a specific physical location, such as an office suite, factory or other facility. Physical controls also provide protection and control over entry onto the land surrounding the buildings, parking lots or other areas that are within the organisation’s control. In most situations, physical controls are supported by technical controls as a means of incorporating them into an overall security system.

Visitors and guests accessing a workplace, for example, must often enter the facility through a designated entrance and exit, where they can be identified, their visit’s purpose assessed, and then allowed or denied entry. Employees would enter, perhaps through other entrances, using company-issued badges or other tokens to assert their identity and gain access. These require technical controls to integrate the badge or token readers, the door release mechanisms and the identity management and access control systems into a more seamless security system.

Technical controls

Technical controls (also called logical controls) are security controls that computer systems and networks directly implement. These controls can provide automated protection from unauthorized access or misuse, facilitate detection of security violations and support security requirements for applications and data. Technical controls can be configuration settings or parameters stored as data, managed through a software graphical user interface (GUI), or they can be hardware settings done with switches, jumper plugs or other means. However, the implementation of technical controls always requires significant operational considerations and should be consistent with the management of security within the organisation. Many of these will be examined in more depth as we look at them in later sections in this chapter and in subsequent chapters.

Administrative Controls

Administrative controls (also known as managerial controls) are directives, guidelines or advisories aimed at the people within the organisation. They provide frameworks, constraints and standards for human behaviour and should cover the entire scope of the organisation’s activities and its interactions with external parties and stakeholders.

It is vitally important to realise that administrative controls can and should be powerful, effective tools for achieving information security. Even the simplest security awareness policies can be an effective control, if you can help the organisation fully implement them through systematic training and practice.

Many organisations are improving their overall security posture by integrating their administrative controls into the task-level activities and operational decision processes that their workforce uses throughout the day. This can be done by providing them as in-context ready reference and advisory resources, or by linking them directly into training activities. These and other techniques bring the policies to a more neutral level and away from the decision-making of only the senior executives. It also makes them immediate, useful and operational on a daily and per-task basis.

As you work to design security for your organisation, you’ll want to use a variety of different control types to help achieve your security objectives.