ABSTRACT
A security program, whether at the organization or system level, should include an appropriate mixture of security controls: management, operational, and technical. Management controls are techniques that are normally addressed by management in the organization’s information and communication technology (ICT) security program and focus on managing the entire program and identified risks that may inhibit the organization’s ability to mitigate threats and vulnerabilities. Operational controls are those that are operated by people, as opposed to a technology or systems. These controls often depend on the technical expertise of network and security teams in addition to other management and technical controls. Technical controls are those that the system executes. These controls
should be consistent with the operational context of the organization and selected management controls.
