Managing security at any level brings many benefits. Each contributes to the overall computer security program with different types of expertise, authority and resources.  The integration of management, operational  and technical controls provides a “Defense-In-Depth” approach.

Management Controls

iStock 000011445815XSmallSecurity topics that can be characterized as Managerial. They are techniques and concerns that are normally addressed by management in the organization’s computer security program.  In general, they focus on the management of the computer security program and the management of risk within the organization.
  • Risk  Management
  • Review of Security Controls
  • Life-cycle Management (Vulnerabilities, etc)
  • Certification & Accreditation
  • System Security Plans Policies, Procedures Standards, & Guidance
  • Performance Metrics  

Operational Controls

Security controls that focus on controls that are, broadly speaking, implemented and executed by people ( as opposed to systems).  These controls are put in place to improve the security of a particular system (or group of systems). They often require technical  or specialized expertise and often rely upon management activities as well as technical controls.
  • Computer Network Defense
  • Personnel Security
  • Physical and Environmental
  • Production Input/Output Controls
  • Contingency Planning
  • Hardware & Software Maintenance
  • Data Integrity
  • Documentation( Architecture, User Guides,)
  • Security Awareness, Education & Training
  • Continuity Of Operations / Disaster Recovery Programs
  • Incident Response Support
  • Forensic Investigation
  • Automated Vulnerability Remediation (AVR)

Technical Controls

Focuses on security controls that the computer system executes. These controls are dependent upon the proper functioning of the system for their effectiveness. The implementation of technical controls, however, always requires significant operational considerations and should be consistent with the management of security within the organization.
  • Identification and Authentication
  • Logical Access Controls
  • Audit Trails
  • Firewalls