entry 003 · SOC journey

Controls, categories and the data we are all protecting

We have covered the MITRE ATT&CK Framework and the CIA Triad. Now we are getting into something that ties a lot of it together: security controls. And then we will talk about data classification, because at the end of the day, everything we are protecting is data.

This one is a two-parter but I promise it flows. Bear with me

Security Control Categories

Security controls fall into categories and types. Think of the category as how a control works and the type as what it does. Every control fits into both. So let me walk you through the categories first.

Technical controls are the technology doing the heavy lifting for you. You do not have to think about it, it just works in the background. Like how your phone automatically locks after a few seconds of inactivity. You did not do anything, the technology handled it. Firewalls, antivirus software, encryption and passwords all fall here.

Managerial controls are the decision making and planning side. The people at the top deciding how security should look and writing it all down. Like a company saying "all employees must change their passwords every 90 days." Nobody is physically forcing you but the rule exists and it came from management. Risk assessments, security policies and procedures live here.

Operational controls are the human side, the day to day actions people take to keep things secure. Like a receptionist asking for your ID before letting you into a building. No technology involved, just a person doing their job properly. Staff training, security awareness programmes and physical security all fall here.

Security Control Types

Now the types tell us what the control actually does. And once you know the types, you start seeing them everywhere.

Preventive controls stop attacks before they happen. Like a lock on a door, it does not wait for someone to break in, it stops them getting in at all.

Deterrent controls discourage attackers from even trying. Like a security camera sign on a shop window. The camera may or may not be real but the sign alone makes people think twice.

Detective controls identify and detect attacks, whether while they are happening or after the fact. Think of a smoke alarm, it does not stop the fire but it tells you something is wrong.

Corrective controls fix damage after an attack. Picture a fire extinguisher, the fire has already started but you use it to limit the damage.

Compensating controls are alternatives put in place when the primary control is not possible. Like if you cannot install a lock on a door, you put a security guard there instead. Different method, same goal.

Directive controls instruct people how to act. For instance, a "no smoking" sign or a company policy document. It does not physically stop anything but it sets the rules everyone is expected to follow.

And here is how the categories and types connect. A CCTV camera is Operational and Detective. A firewall is Technical and Preventive. A security policy document is Managerial and Directive. They are not separate boxes, every control sits in both at the same time.

A "No Trespassing" sign outside a building is Operational and Deterrent. It does not physically stop anyone but it discourages them and signals that security is taken seriously. The lock on the door right next to it is also Operational but Preventive. Same category, different type, working together

None

Data Classification

Now we know what controls exist and how they work, the next question is: what exactly are we protecting? The answer is data. But not all data needs the same level of protection, which is why we classify it.

Let me explain it through a story. Imagine you and four friends. Five of you total. Here is how the different types of data play out in that group.

Public

Your name. Everyone knows it. People outside the group, strangers, people who have never met you. It is just out there and that is fine.

Think company websites, press releases, your LinkedIn profile. Freely available, no harm if anyone sees it.

Private / Internal

The names of your crushes. Only the five of you know. Not secret enough to be whispered in corners but definitely not for outsiders.

Things like internal company emails, employee records, internal reports. Not classified but not for the general public either.

Confidential

One of your friends is going through something and pulls just you aside. The other three do not know and should not know. Shared on trust, stays between two people.

Business strategies, client contracts, salary information. Shared only with people who specifically need to know.

Restricted

A friend tells you something so serious, so personal, that even writing it down feels wrong. You do not text it, you do not mention it anywhere. You say it face to face and it stays there. Because if it got out it would not just be embarrassing, it would genuinely affect their life.

Medical records, government classified information, financial data. The kind of leak that causes real damage, legal consequences and lives turned upside down.

None

Classifying data matters because not everything deserves the same level of protection. And knowing what type of data you are dealing with tells you exactly what kind of controls to put around it. See how it all connects?

My question for this entry: which type of data do you think organisations struggle to protect the most, and why? I have a feeling it is not the obvious one.