ABSTRACT
We, in the security field, are “controls” freaks, not control freaks (although some we say we are that, too). We are continually interested in controls that enable us to safeguard systems and data. Controls come in a number of forms. They may be administrative, such as policies and standards. Some controls are physical, as walls and removable media are. Increasingly, many controls are technical (or logical) measures such as encryption and antivirus scanning. In planning and considering the types of controls that we have, their effectiveness, and new ones we may need, we find it helpful to categorize controls into three different types. This tripartite arrangement of security controls has developed from the normal divisions of responsibility in business: management, physical plant, and operations (technical, in the case of information systems).
