What are the three types of security controls?

A. Logical, Physical, Administrative
B. Detection, Prevention, Correction
C. Firewall, IDS, IPS
D. Technical, Management, Operational

Answer: D. Technical, Management, Operational
Explanation:

Detailed Deep Dive: Security Control Categories

To succeed on the CISSP exam, you must distinguish between how a control is implemented (Category) and what the control does (Function). The following three categories represent the "Who, How, and What" of security implementation:

1. Technical (Logical) Controls

Technical controls are the tactical "digital" safeguards. These are primarily implemented through hardware, software, or firmware. They are designed to automate protection without requiring constant human intervention.

• Deep Dive: Think of these as the "logic" of your security architecture. If a system makes a decision based on bits and bytes (like blocking an IP or encrypting a packet), it is a Technical control.

• CISSP Examples: Encryption algorithms ($AES-256$), Firewalls, Intrusion Detection Systems (IDS), Biometric authentication, and Access Control Lists (ACLs).

2. Management (Administrative) Controls

Management controls are the "top-down" strategic measures. These are the policies, standards, and guidelines created by leadership to define the organization’s security posture.

• Deep Dive: These controls focus on the "governance" of security. They ensure that the organization is meeting legal, regulatory, and business requirements. They are the "brains" behind the operation, dictating the rules that Technical and Operational controls must follow.

• CISSP Examples: Risk assessments, security awareness training programs, data classification policies, and personnel vetting (background checks).

3. Operational Controls

Operational controls are the human-centric and physical procedures. These rely on people following specific steps to maintain the security of the environment on a day-to-day basis.

• Deep Dive: While Technical controls are automated, Operational controls are often manual or procedural. They bridge the gap between policy (Management) and hardware (Technical).

• CISSP Examples: Media sanitization (shredding hard drives), facility walkthroughs, backup and recovery procedures, and physical environmental protections like fire suppression and lighting.

Why the Other Options Fall Short

• Option A (Logical, Physical, Administrative): This is a very common "trap" answer. While these are widely used terms in the industry, the CISSP exam (following frameworks like NIST SP 800-53) specifically looks for Technical, Management, and Operational as the primary implementation categories.

• Option B (Detection, Prevention, Correction): These are Control Functions. They describe the intent of the control (e.g., a camera detects, a lock prevents). A Technical control can be a Preventive control (like a firewall), but they belong to different classification systems.

• Option C (Firewall, IDS, IPS): These are far too narrow. These are specific tools—not categories. In a CISSP scenario, always look for the most "umbrella" or holistic term provided.