Security Controls Matrix

Defense in Depth: Use multiple control types for each function.
Comprehensive Coverage: Ensure all 9 cells have appropriate controls.
Control Dependencies: Some controls rely on others (e.g., SIEMs need logs).
Risk-Based Selection: Choose controls based on your specific risk profile.
Regular Review: Periodically assess if your control matrix has gaps.

A Quick Reference Guide for Control Types and Functions

Preventive:Stop threats

Detective:Identify incidents

Corrective:Fix & recover

Control Type	Preventive	Detective	Corrective
Physical	Door locks & key cards Security guards Fences & barriers Biometric scanners Mantrap doors	CCTV cameras Motion sensors Badge reader logs Glass break detectors Visitor management systems	Emergency response procedures Backup power (UPS/generators) Fire suppression systems Emergency evacuation plans Physical asset recovery
Technical	Firewalls Antivirus software Multi-factor authentication Data encryption Input validation Access control lists	Intrusion Detection Systems (IDS) SIEM systems Log monitoring File integrity monitoring Network traffic analysis Vulnerability scanners	Intrusion Prevention Systems (IPS) Automated patch management System backups & recovery Quarantine systems Failover systems Incident response tools
Administrative	Security awareness training Background checks Separation of duties Acceptable use policies Password policies Security procedures	Security audits Log reviews Performance monitoring Compliance assessments Peer reviews Whistleblower programs	Incident response teams Business continuity plans Disciplinary actions Policy updates Lessons learned programs Process improvements

This matrix shows that every security control has both a TYPE (how it's implemented) and a FUNCTION (what it does). For example: