As a security professional, we don’t implement security controls for no reason. We have specific control objectives to achieve by implementing security controls as risk treatments to enforce the CIA security objectives (confidentiality, integrity, and availability).
Control objectives direct the planning, implementation, and evaluation of security controls. They provide specific targets for auditors to evaluate the effectiveness of security controls. Besides, they can be classified so that risk practitioners can identify risks based on the taxonomy; for example, Compliance, Financial Reporting, Strategic, Operations, or Unknown.
Security Control Taxonomy
We implement a security control as a risk treatment measure to achieve certain security objectives; therefore, It is common to classify security controls based on security objectives. The categorization of administrative, technical, and physical are the most well-known as it is mentioned in HIPAA.
For example, given two questions as follows:
- Is a biometric-based system that controls the access to a computer a technical or physical control/safeguard?
- Is a biometric-based system that controls the access to the computer room a technical or physical control/safeguard?
The control objective of question No. 1 lies in mediating logical access to “information” though authentication on the computer device, e.g., fingerprint, while the control objective of question No. 2 is controlling physical access to “information systems” or “facilities.”
If we categorize security controls based on the target assets to be protected that are primary components of the security objective, we can conclude that the answer to the first question is technical, while the second is physical. That’s why technical controls are also known as logical controls compared with the physical controls.
So, is a biometric-based system a technical or physical control?
The following two posts are worth your thoughts: