Control Types: Management, Technical, Common, and Operational

Control Types: Management, Technical, Common, and Operational – A Comprehensive Guide

Why Control Types Matter

Understanding control types is fundamental to the implementation of security and privacy controls within any organization. The categorization of controls into Management, Technical, Common, and Operational types allows security professionals to systematically plan, deploy, and assess safeguards across an information system. For anyone pursuing a CGRC (Governance, Risk, and Compliance) certification, mastery of control types is essential because exam questions frequently test your ability to classify controls, understand their purpose, and determine who is responsible for their implementation.

Without a clear understanding of control types, organizations risk implementing controls in an ad hoc manner, leaving gaps in their security posture, duplicating efforts, or assigning responsibilities to the wrong personnel. Proper classification ensures accountability, efficiency, and comprehensive coverage of risks.

What Are Control Types?

Controls are safeguards or countermeasures prescribed for an information system or organization to protect the confidentiality, integrity, and availability (CIA) of information and to meet a set of defined security and privacy requirements. They are classified in several ways, and for the purposes of the CGRC exam and NIST Risk Management Framework (RMF), you need to understand the following categories:

1. Management Controls
Management controls (also called administrative controls) are the policies, procedures, and governance mechanisms that address the management of the information system's security program. They focus on the management of risk and the oversight of information security.

Examples include:
- Risk assessments (RA family)
- Security planning (PL family)
- System and services acquisition (SA family)
- Certification, accreditation, and security assessments (CA family)
- Program management (PM family)

Key characteristics:
- Focused on decision-making and governance
- Typically implemented by senior leadership, security managers, and program managers
- Address how the security program is managed overall
- Often documented in policies, plans, and strategic guidance

2. Technical Controls
Technical controls (also called logical controls) are safeguards that are implemented and executed by information systems through mechanisms contained in the hardware, software, or firmware components of the system.

Examples include:
- Access control mechanisms (AC family – logical access controls)
- Identification and authentication (IA family)
- Audit and accountability mechanisms (AU family)
- System and communications protection (SC family – encryption, firewalls)
- Intrusion detection/prevention systems

Key characteristics:
- Implemented through technology
- Automated or semi-automated in nature
- Enforced by the system itself, not by people
- Require technical expertise to implement and maintain
- Often the most testable and measurable controls

3. Operational Controls
Operational controls are implemented and executed by people (as opposed to systems). They rely on proper human actions and procedures to be effective. They are the day-to-day security measures that personnel carry out.

Examples include:
- Security awareness and training (AT family)
- Configuration management procedures (CM family)
- Contingency planning and disaster recovery (CP family)
- Incident response (IR family)
- Physical and environmental protection (PE family)
- Media protection (MP family)
- Personnel security (PS family)
- System maintenance (MA family)

Key characteristics:
- People-centric; rely on human execution
- Require training and awareness to be effective
- Cover physical security, personnel actions, and procedural safeguards
- Bridge the gap between management directives and technical implementations

4. Common Controls
Common controls are a special designation that cuts across the Management, Technical, and Operational categories. A common control is any security or privacy control that is inherited by one or more information systems. It is provided by an entity other than the system owner – typically by the organization, a shared service provider, or an infrastructure team.

Examples include:
- Organization-wide security awareness training programs
- Physical security of a data center that houses multiple systems
- A shared identity management infrastructure
- Organization-wide incident response plan
- Enterprise firewall protecting multiple systems

Key characteristics:
- Developed, implemented, assessed, and authorized by a common control provider
- Inherited by multiple systems, reducing duplication of effort
- The common control provider is responsible for the implementation and effectiveness
- System owners who inherit common controls are still responsible for ensuring the controls are adequate for their systems
- Documented in the organization's security plan and common control catalog
- Reduce cost and complexity by centralizing certain controls

How Control Types Work Together

In practice, organizations use a layered approach:

1. Identify common controls – The organization first determines which controls can be provided centrally and inherited by multiple systems. This is a critical early step in the RMF process (specifically during the Categorize and Select steps).

2. Determine system-specific controls – For each information system, the system owner identifies which controls are system-specific (not inherited) and must be implemented directly. These can be management, technical, or operational in nature.

3. Hybrid controls – Some controls are partially common and partially system-specific. For example, an organization may have a common incident response plan (common control), but each system may need system-specific incident response procedures (system-specific portion). These are called hybrid controls.

4. Assign responsibility – Management controls are typically the responsibility of security program managers and authorizing officials. Technical controls are assigned to system administrators, engineers, and IT staff. Operational controls are assigned to operational staff, facility managers, and end users. Common controls are assigned to common control providers.

The Relationship Between Control Classes and Common Controls

It is critical for exam purposes to understand that common controls are not a separate class alongside management, technical, and operational. Instead, common controls represent a designation that can apply to any control from any class. A management control can be a common control. A technical control can be a common control. An operational control can be a common control. The designation of "common" refers to how the control is provided and who is responsible, not what type of control it is.

Why This Distinction Matters for the Exam

CGRC exam questions may try to confuse you by mixing up the classification scheme. Remember:
- Management, Technical, and Operational describe the nature of the control (what it is and how it functions).
- Common, System-Specific, and Hybrid describe the implementation approach (who provides it and how it is shared).

How to Answer Exam Questions on Control Types

When facing a question about control types, follow this decision framework:

Step 1: Determine if the question asks about the nature of the control or the implementation approach.
- If the question asks about governance, risk oversight, or policy → Management
- If the question asks about technology, automation, or system-enforced mechanisms → Technical
- If the question asks about human actions, procedures, training, or physical measures → Operational
- If the question asks about shared, inherited, or centrally provided controls → Common

Step 2: Look for keywords in the question.
- Keywords like "policy," "risk assessment," "planning," "governance," "program management" → Management
- Keywords like "encryption," "firewall," "authentication," "access control list," "automated" → Technical
- Keywords like "training," "awareness," "physical security," "incident handling procedures," "personnel" → Operational
- Keywords like "inherited," "organization-wide," "shared," "centrally managed," "common control provider" → Common

Step 3: Eliminate wrong answers by checking responsibility.
- If the answer assigns a management-level activity to a system administrator, it is likely wrong.
- If the answer suggests a technical control is executed by people without technology, it is likely wrong.

Exam Tips: Answering Questions on Control Types

Tip 1: Don't confuse Common Controls with a control class.
Common controls are an implementation designation, not a control class. The three classes are Management, Technical, and Operational. If a question lists all four and asks which is NOT a control class, the answer is Common (since it is a designation, not a class). However, be careful – some frameworks and exam contexts treat common controls as a distinct category for discussion purposes. Read the question carefully.

Tip 2: Remember the "who" behind each type.
- Management → Senior leaders, security program managers, authorizing officials
- Technical → Systems, hardware, software, firmware (automated)
- Operational → People performing day-to-day tasks
- Common → Common control provider (could be any role, but the key is they serve multiple systems)

Tip 3: Understand hybrid controls.
If a question describes a control that is partially inherited and partially implemented at the system level, the answer is hybrid control. This is a frequent exam topic.

Tip 4: Know the NIST SP 800-53 control families and their typical classification.
You don't need to memorize every family, but know the general mapping:
- RA, PL, SA, CA, PM → Management
- AC (logical), IA, AU, SC, SI → Technical
- AT, CM (procedural), CP, IR, PE, MP, PS, MA → Operational

Tip 5: Watch for scenario-based questions.
The exam loves scenarios. If a scenario describes an organization deploying a centralized security training program that all systems benefit from, this is a common control that is operational in nature. Be prepared to identify both dimensions.

Tip 6: Understand the cost and efficiency benefit of common controls.
Questions may ask why organizations identify common controls early in the RMF process. The answer relates to cost savings, consistency, and reduced duplication. By centralizing controls, organizations avoid redundant implementations across multiple systems.

Tip 7: Know that system owners inherit common controls but retain responsibility.
Even though a common control provider implements and maintains the control, the system owner must still acknowledge the inheritance, document it in their system security plan, and ensure the control meets their system's needs. If it does not, they must implement compensating or supplementary controls.

Tip 8: Practice distinguishing between similar-sounding answer choices.
Exam questions may present four answer choices where two seem correct. For example:
- "Encryption implemented on a shared network" could be both technical and common.
- The correct answer depends on what the question is asking: the nature of the control (technical) or the implementation approach (common).

Tip 9: Use the process of elimination.
If you are unsure, eliminate answers that clearly don't fit. A "firewall" is never a management control. "Security awareness training" is never a technical control. Use these certainties to narrow your choices.

Tip 10: Remember the big picture.
Controls exist to reduce risk. The classification into types helps organizations assign accountability, ensure comprehensive coverage, and streamline the assessment process. Questions that ask about the purpose of classification should be answered with these goals in mind.

Summary Table for Quick Review

Management Controls: Focus on governance and risk management; implemented through policies and plans; owned by senior leadership and program managers.

Technical Controls: Focus on technology-enforced safeguards; implemented through hardware, software, and firmware; automated and system-executed.

Operational Controls: Focus on people and procedures; implemented through human actions, training, and physical measures; require ongoing human diligence.

Common Controls: A designation (not a class) indicating the control is inherited by multiple systems; provided by a common control provider; can be management, technical, or operational in nature; reduce duplication and cost.

By mastering these distinctions and applying the exam tips above, you will be well-prepared to confidently answer any question on control types in the CGRC examination.