Bhaskar and Ahson state that security controls are selected and applied based on a risk assessment of the information system. The risk assessment process identifies system threats and vulnerabilities, and controls are for mitigating risk and to reduce probability of loss. When management chooses to mitigate a risk, they will do so by implementing one or more of three different types of controls. Purcell states that security controls are measures taken to safeguard an information system from the attacks against the confidentiality, integrity, and availability of the information system. There are two ways to categorize security controls. The first way is to put the security control into administrative, technical (also called logical), or physical control categories. In this taxonomy, the control category is based on their nature. The second way to categorize security controls is taxonomy according to the time that they act, relative to a security incident, they are directing, preventing and correcting. (Information Security Controls, YAU Hon Keung)
Last date updated on September, 2024
Spanish 
Chinese 
Russian 
German 
French 
Japanese 
Portuguese 
Hindi