Security Control Selection and Gap Analysis

Preventive controls block threats before they succeed (firewalls, access control, encryption). Detective controls identify threats that have occurred (IDS, logging, audits). Corrective controls reduce impact after an incident (backups, IR plans, patches). Layered defense requires all three types.

Controls span multiple dimensions: Physical (locks, cameras), Technical (firewalls, MFA), Administrative (policies, training). For a given risk, select complementary controls across categories — a technical control supported by an administrative policy and physical security creates genuine defense-in-depth.