Controls are steps in processes — or components in information systems — that enforce compliance with business or security rules. Technology can enforce a control, or an individual may perform a manual step or procedure.
Preventive controls: Used to prevent errors and unauthorized actions.
Detective controls: Used to detect errors and unauthorized activities.
Corrective controls: Used to reverse or minimize the impact of errors and unauthorized events. These are also known as recovery controls.
Automatic controls: Those that automatically enforce a security policy.
Manual controls: Those that must be proactively performed in order to enforce a security policy.
All the controls discussed in the following sections fall into these categories. A control is preventive, detective, or corrective; also, the control is either automatic or manual. ...