There are many different flavors of controls, so be sure to understand them all. Starting with what they do:
Preventive – tries to prevent something bad from happening, like a fence
Detective – tries to identify/notify when something bad actually happens, like an audit log
Corrective – tries to fix or recover from the bad thing that happened, like terminating an employee
Controls can also be placed into categories:
Management – refers to policy or human related controls, such as policy development
Operational – relating to processes or day-to-day operations, such as account provisioning
Technical – something that technology handles, such as authentication
Another category method puts the controls into the following:
Physical – related to facilities, such as the fence previously mentioned
Administrative – related to policies and people processes, such as the hiring/firing process
Technical – related to or controlled by technology, such as the audit logging capabilities
And the last few:
Common or Inheritable – related to things that are controlled at the higher level and applicable across the organization.
Tailored controls – when the control is tuned for a specific standard or use-case, such as adding a 60-day threshold to the control “user accounts must expire [after 60 days of inactivity]” instead of “user accounts must expire [at an organization-defined frequency]”.
Controls can be evaluated in three ways:
- Testing – live interaction with the system
- Interviewing – staff and management to verify the controls
- Examining – documents that prove how the control was implemented