II.C.3     Control Types

Management may mitigate information security risks by implementing controls. Controls may be categorized according to timing and nature.

Table 1 - Controls

It is important to have a layered control system, which deploys different controls at different points of a business process and throughout an IT system so that the strength of one control can compensate for weaknesses in or possible failure of another control. Therefore, layered controls function in an integrated fashion to more effectively mitigate risk.

Economic and technical considerations generally affect prevention and detection or response choices in system design. Compensating controls are controls that adjust for weaknesses within the system or process. An example of compensating controls would be a review of activity logs for applications that do not allow proper segregation of duties.


Previous Section
II.C.2 Technology Design
Next Section
II.C.4 Control Implementation