Part Four: Controls and Countermeasures
Start course

This course explores risk analysis and prepares you for the CISM examination, which will cover the significant aspects of risk. We'll cover different risk levels and types of risk and how they can potentially affect an organization. We also look at the risk assessment cycle and the stages required when analyzing risk. You'll also learn about the various risk analysis methods available. Then we'll move on to how risk analysis can be used when planning and deploying risk controls and countermeasures.

If you have any feedback relating to this course, please contact us at

Learning Objectives

  • Identify risk levels and potential impact of given risks upon the assets
  • Learn about the risk assessment cycle
  • Learn about different risk analysis methods including qualitative, semiquantitative, quantitative, OCTAVE, and FAIR
  • How to use risk analysis to control threats and risk
  • Define a strategy for deploying risk countermeasures

Intended Audience

This course is intended for those looking to take the CISM (Certified Information Security Manager) exam or anyone who wants to improve their understanding of information security.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


Here is section seven. We will begin our discussion of how we will make use of the results of our risk analysis and turn those into an effective program. Any decisions regarding controls must begin with the knowledge of the asset vulnerability risk context for which the control is being considered.

This must include a sound understanding of the normal interactions of these elements and how they would be disrupted by a variety of threats. Furthermore, the threat impact scenario forming the essentials of the context must be equally well understood. This of course would likely include assumptions if the scenario was neither being witnessed or recorded.

Including assumptions may be necessary in many cases which is fine so long as these assumptions are reasonable and validated. Extending this logic to the control itself we need to understand method. This depicts or demonstrates its normal mode of operation and illustrates how it will interact with the operational components once it is integrated with them.

Categories. These defined groups of controls in terms of their actions whether they are administrative, physical, or technological in origin and function, and technical. This subcategory of controls is based directly in hardware or software.

Now controls are considered to be primarily proactive measures. These provide a preventive type of function so that a threat when it materializes is unable to act. This provides a level of insurance in the cases where controls are properly applied that business goals surrounding confidentiality, integrity, and availability will be properly achieved.

In the course of performing their function as a control they are of course mitigating risk, but there is no presumption that any control will be perfect under all circumstances. Therefore, a single control is going to be insufficient in virtually every case.

The controls themselves could be in the form of a policy which in its functioning modifies or controls human behavior, procedures and practices which implement the policy and technologies and structures. In the case of consideration of controls and their application it is a basic principle that we are seeking to define and achieve a balance between controls and their functions and business requirements.

For example, overly strict standards or procedures may find themselves being violated or undermined and controls that are insufficiently strong will provide no value whatever. Therefore it is necessary to ensure that controls are suited to their application context and that they are functionally on balance with achieving business success in that context.

On this slide you see that we have two different columns of information. On the left we have the categories and on the right we have examples of controls in each category. The categories of controls fall into three basic sets. We have the administrative or managerial which is characterized by being in documentary form such as policies, procedures, standards, baselines and guidelines.

Following these, we have tactical or logical. These encompass largely hardware and software control types. They can also include methods, techniques, and instrumentalities that are necessary to the proper functioning of these technologies.

Our third category is physical or operational and these are the kind that affect places and spaces. On the right-hand side of the slide we have examples of procedural controls, technical controls and physical controls. In each grouping there is reflected examples of the administrative type, the technical type and the physical type.

Among the categories of controls we have four basic types of functions. These functions are preventive, which generally disallows the threat agent from acting and causing its damage, but also includes deterrent which can be considered a weak form of preventive.

We have detective, which is self-explanatory in terms of its function. These can be an administrative form such as monitoring or reviewing of documents. Technical which can be an audit log record or physical such as an alarm function.

We have recovery which enables at a great or small scale the recovery of a system failures or attack results. A subtype is corrective which enables us to adjust various configuration parameters or the resetting of misconfigurations. And then we have compensating which are control types formed by blends of the other direct controls.

Compensating cert controls are used when a direct control type may not exist or have an attractive primary function that is accompanied by an undesirable secondary or tertiary effect and there are in the graphic beside the listing of control functions, we see how they may be activated and how they may do their particular function in the event of an attack or a compromise.

Here we see examples of various controls. In the first case, we see that we will have a need that must be addressed in that we must protect the system from hackers entering that system from over internet. One form of control for this that will prevent unwanted traffic from entering the system or network.

We will also require a login as a form of access control. This type of control will have several functions in the access control system. Identification, authentication, authorization, and accounting. Anyone seeking to enter this system that does not possess a login is someone who is by definition unauthorized. Any attempt therefore will be denied and such a denial will be logged.

This logging performs the detective function that will alert the system administrator that this attempt has been made. Should an IDS be in place it will detect any attempts for brute force or strange or unauthorized traffic flowing in through the network. It will provide additional control functions such as logging for detection purposes and possibly alerting functions.

The performance of backups is considered a form of preservation but it can be useful as a corrective control in the event that the hackers are successful in changing configurations of the system that they've invaded to suit themselves. Adding session timeouts as a compensating control also allows for protection of sessions by timing them out after a period of inactivity.

In these examples, we've seen implementation of the defense in depth philosophy because all of these controls work to cooperate with each other and reinforce each other in terms of total control over a system to prevent the hackers from penetrating.

Now, in contrast to controls, we have counter measures. These are generally considered to be more of a reactive type than the proactive type that controls are. Countermeasures fit into all of the main categories of the control types and their functions.

Countermeasures are often deployed in response to a specific threat and many times after the threat has begun its action. The example we give is the firewall which with its rule set responds to a change in traffic or the presentation of incorrect routing information to prevent a system or packets from flowing in from unwanted locations on the network.

Countermeasures can also be new or an enhancement of an existing control. For example, adding a spam filter to improve detection for email scams to your mail client or system generally improves the performance and the protection against spam or email scams. We must keep in mind however the controls and counter measures are designed to work together as part of the defense in depth strategy.

As always, we must be sure that the controls and the counter measures that we use do not reduce our possibilities to meet the business objectives.

So let's consider some control design considerations. We will, of course use a risk-based approach to our control selection oftentimes starting with a top-down process. As discussed before we must consider its goal and the metrics that will be used to measure its effectiveness. In this consideration however, we may have to consider a combination of controls that will be necessary to meet a particular protective control.

There are several factors that we must consider. Impact on productivity, inconvenience to users, operational costs, additional maintenance costs and possible testing costs, training, user acceptance, cultural acceptability, legal and regulatory requirements, scalability and adaptability, capability of monitoring.

There may of course be other factors that are contextually or operationally unique as well as that must be considered before decisions can be made regarding controls that will be implemented.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.