Exploration should include how security controls work to reduce or mitigate the risks to an asset(s) through methods that are designed to help accomplish the goal.
Security controls include those that are
- physical (e.g., fences, gates, guards, badges, biometrics, cameras, closed-circuit television [CCTV], data destruction, air gap)
- technical or logical (e.g., hardware or software including firewalls, antivirus, intrusion detection systems [IDS], intrusion protection systems [IPS], access control lists [ACL], data destruction)
- administrative (e.g., logs, policies, procedures, guidelines).