Security controls are a critical component to meet a Company’s primary SOC 2 goals of security, availability, processing integrity, confidentiality, and privacy of data. There are different control types that can be implemented, and each control that is mapped to a control type is represented with a different identified functionality and purpose. Controls are put into place to minimize the risk that an organization faces, and there are three primary types of internal controls:
- Administrative
- Technical (logical controls)
- Physical
When these control types are appropriately implemented, they provide a company with defense-in-depth, which is a coordinated use of multilayered security controls. The controls that are implemented safeguard against the threats the Company faces. Normally, additional controls will be mapped to riskier assets at the Company, for additional layers of protection.
The three control types have different controls with different functionalities created to safeguard the control environment. There are six control functionalities, and the different functionalities of the security controls types are:
- Preventive
- Detective
- Corrective
- Deterrent
- Recovery
- Compensating
When considering the security posture for a Company’s control environment, it is most productive to use a primarily preventive model, and then use detective, corrective, recovery, and compensating controls to supplement and support the control environment.
What Is a Preventive Control?
A preventive control (also commonly referred to as a “preventative control”) is a control that is put into place and intended to avoid an incident from occurring. The point of preventive control is to stop any trouble before it starts. A preventive control attempts to block any unauthorized attempts to change a system before it happens, and therefore, prevention, in theory, means that an attack will fail. As an example, if a bad actor attempts to break into a host online, but that host is not connected to the Internet, then the attack has been prevented. Typically, preventive controls involve implementation of mechanisms that users cannot override. These are mechanisms that are expected to be implemented in a correct, unalterable way, and this prevents a bad actor from defeating the mechanism by changing it.
Preventive controls and mechanisms are often process-oriented and increase the time for carrying out certain system activities. At times, preventive controls may interfere with system use, to the point that they hinder normal use of the system. In these such cases, determination by Company management regarding whether preventive controls are the best control functionality option that should be implemented should be considered.
There are simple preventive mechanisms, such as passwords (which aim to prevent unauthorized users from accessing the system), and depending on the password parameter’s level of complexity utilized, pushback may be a factor from users of the system. Prevention controls can prevent compromise of parts of the systems: and once in place, the system is protected by the mechanism and may not need to be monitored as closely for security risks with additional control types. This would be determined during an asset risk evaluation and/or a risk and control assessment.
What Is the Difference Between Deterrent Controls, Detective Controls, and Preventive Controls?
As discussed previously, preventive controls are controls intended to completely avoid an incident from being able to occur. Deterrent controls, alternatively, are intended to discourage a bad actor from an unlawful activity that they had originally intended to perform. For example, if security cameras are put in place, they may act as a deterrent control, since an intruder may see the cameras and change their mind about coming onsite unlawfully; thus the cameras deter them from their original break-in considerations. The cameras may also be considered a detective control, as the camera logs would provide additional investigative information if an incident occurred. Preventive controls are put in place with other control types and functionality types as necessary based on risk levels.
The specific control functionality types include:
- Preventive – Intended to avoid an incident from occurring
- Detective – Identifies details and data associated with an incident’s activities
- Corrective – Fixes components or systems after an incident has occurred
- Deterrent – Method or control to discourage a potential bad actor
- Recovery – Controls established to quickly bring the environment back to regular operations
- Compensating – Controls that provide an alternative measure of control
What Are Examples of Preventive Controls?
Preventive controls protect against vulnerabilities and reduce the impact of attacks, or prevent an attack’s success. When trying to determine examples of preventive controls, consideration should be given to the main reason or purpose that the control is being put into place. For instance, a firewall tries to prevent something bad from taking place (bad actor gaining access to the network), so it is a preventive control. Auditing logs are done after an event took place, so it is detective control; while a data backup system is developed so that data can be recovered; therefore, this is a recovery control. Finally, a backup image is created so that if software gets corrupted, it can be reloaded, thus a corrective control.
What Are the Three Types of Internal Controls?
Preventive: Administrative
Administrative controls are sometimes referred to as “soft controls” because these controls are more management and documentation oriented. Administrative controls within a SOC 2 report fall primarily in the control environment, communication and information, control activities, risk assessment, and risk mitigation trust service criteria.
Examples of Preventive Administrative Controls are:
- Policies and procedures
- Onboarding and hiring processes
- Reference and background checks
- Offboarding and termination processes
- Security awareness trainings
- Data classification and labeling
Preventive: Physical
Physical controls are controls and mechanisms put into place to protect the facilities, personnel, and resources for a Company. Physical controls within a SOC 2 report fall primarily in the logical and physical access trust service criteria.
Examples of Preventive Physical Controls are:
- Badges, biometrics, and keycards
- Fences, locks, mantraps
- Guards, guard dogs
Preventive: Technical (Logical)
Technical controls, sometimes referred to as Logical controls, are controls and mechanisms such as hardware and software components that are put into place to monitor and control access to information and systems. Technical controls within a SOC 2 report fall primarily in the logical and physical access, system operations, monitoring activities, change management, availability, confidentiality, and processing integrity trust service criteria.
Examples of Preventive Technical Controls are:
- Passwords, biometrics
- Encryption
- Secure protocols, least privilege principle, access control lists
- Constrained user interfaces
- Antimalware software
- Firewalls
- Static code analysis and static code review
- Intrusion detection systems
Conclusion
To maintain an appropriate overall control environment, a Company must evaluate their assets and resources to be protected, identify the privileges to be restricted, and identify available controls and their types and functions. Controls are the means to prevent misuse or abuse of privileges while allowing authorized individuals or processes to do their jobs. When appropriately implemented, proper preventive, detective, corrective, deterrent, recovery, and compensating controls will minimize the probability of successful penetration and compromise because a bad actor would have to get through several different types of protection mechanisms before they gained access to the critical information technology assets.
If you have additional preventive control questions or are interested in learning more regarding how you should consider preventive control for your upcoming SOC reports or other needed audit services, reach out to Rhonda Willert and the team at Linford & Co.
Rhonda is a Partner at Linford & Co. delivering risk services including service organization control (SOC) engagements, and Internal Audit services (IT and Business process audits). Rhonda has her CPA, CISSP, PMP, and CISA certifications and delivers leading-edge client service. Previously, Rhonda was a Managing Director at Deloitte, and brings a wealth of expertise in the areas of risk management and compliance.