Procedural controls are the controls placed in response to the rules and guidelines directed by upper-level management, and they include several specific controls. However, one important point about procedural controls is that they are implemented with a written document.

Examples of procedural controls are:

• Policies and procedures—This control may be an organization’s security policy. For example, it could also be the specific procedures used to back up a server.
• Security plans—These plans are comprehensive to help an organization deal with different events. For example, a disaster recovery plan helps an organization plan for a disaster, such as a hurricane or an earthquake.
• Insurance—Insurance can reduce the impact of a risk. Common examples include fire insurance and flood insurance.
• Personnel checks—An organization may have policies in place to perform different types of checks on personnel; they could include background checks or financial checks.
• Awareness and training—Many organizations regularly take steps to raise the security awareness of personnel, which can be done through, for example, formal training, posters, and emails.
• Rules of behavior—Many organizations use rules of behavior, also called acceptable use policies (AUPs), to let people know what they can do with computers and systems. An AUP is often a document that users read and sign when they are hired. Commonly, employees are required to review the documents on a regular basis, such as once a year.

A technical control uses computers or software to protect systems. The benefit of a technical control is that it is automated, which means that it is set once and will consistently enforce the control.

Some examples of technical controls are:

• Logon identifier—Users are required to provide credentials before they are granted access to the system, which is also referred to as authentication. Three primary factors of authentication exist:
  • Something the user knows, such as a username and password
  • Something the user has, such as a smart card
  • Something about the user, such as information captured by biometrics
• Session time-out—Many systems automatically time out after a period of inactivity. For example, a password-protected screen saver locks a computer after a specific number of minutes. When the time has passed, the screen saver starts, and the user must enter credentials before accessing the system again.
• System logs—System logs record activity performed by systems, users, or attackers. For example, a system log can identify when a server was shut down or when specific services were stopped or started. Application logs can record specific application activity.
• Audit trails—Many types of audit logs can be used to create an audit trail. A security log can record all access to specific files, and a firewall log can record all traffic entering or leaving a network.
• Input validation—Applications can use data range and reasonableness checks to validate data before using it. As a simple example, dividing by zero is impossible. A program that accepts values used in a divide operation can ensure the value is not zero before using it.
• Firewalls—Network firewalls can control traffic coming into and out of a network. Host-based firewalls can restrict traffic for individual systems.
• Encryption—Data can be encrypted when it is stored on a drive or transmitted over a network, which provides confidentiality of the data.

A physical control controls the physical environment. Physical controls include locks and guards to restrict physical access and elements to control the environment, such as heating and cooling systems.

Examples of physical controls are:

• Locked doors—Server rooms can be locked to protect servers, and wiring closets that host routers and switches can be locked. Proprietary data can also be protected, such as employee files or research data, by locking doors and filing cabinets.
• Guards and access logs—Guards can be hired to control access to sensitive areas, such as at the front entrance of a building or in internal areas, and an access log can be used to list individuals who have authorized access. The guard then allows access only to personnel on this list. Access logs can also be used to record individuals who have accessed a room.
• Video cameras—Cameras can monitor areas on a continuous basis. Closed circuit television (CCTV) systems work very well as a deterrent because many CCTV systems can record data from multiple cameras.
• Fire detection and suppression—A fire can destroy a significant amount of data and hardware in a very short period of time. Effective detection and suppression systems detect the fire before it gets too big and then quickly extinguish it.
• Water detection—Some areas are prone to flooding. When water is detected, pumps can be turned on automatically to remove the water. If the flooding can’t be controlled, the detection system can turn off electrical systems to reduce possible damage.
• Temperature and humidity detection—Systems need to operate within certain temperature ranges. If they get too hot, electrical components overheat and fail. High humidity can cause condensation on the systems, which can also cause failures. Heating, ventilation, and air-conditioning (HVAC) systems control the temperature and humidity.
• Electrical grounding and circuit breakers—Proper grounding ensures that dangerous voltage is routed to ground when electrical systems fail. Grounding protects equipment and personnel, and circuit breakers protect systems and wiring. When a failure results in excess current, the circuit breaker will cut the power before the excess current can start a fire or damage the equipment.