Controls Matrix · Rolling Thunder Security Codex

What a Control Is

A security control is a measure taken to reduce risk by addressing a threat, a vulnerability, or both.

Controls come in three flavors, named by what type of measure they are:

Administrative controls are policies, procedures, training, and the human structures of governance. Hiring practices, password policies, security awareness training, and acceptable use policies all live here. Administrative controls work by changing what people are allowed to do and what they are taught.
Technical controls are software and hardware mechanisms. Firewalls, encryption, intrusion detection systems, multi-factor authentication, antivirus, and access control lists are all technical controls. They work by directly enforcing security properties through code.
Physical controls are real-world barriers and protections. Locks, badges, fences, cameras, guards, and clean-desk policies fall in this category. Physical controls work by manipulating the geography of access.

Real defensive postures use all three. Many controls bridge categories: an encrypted laptop is technical, but the requirement to use one is administrative, and the badge that gets you into the office to use it is physical.

Control Functions

Controls can also be classified by what they do in the timeline of an incident. The five canonical functions are:

Preventive controls stop incidents from happening. A firewall blocking unauthorized inbound traffic is preventive.
Detective controls notice that an incident has happened or is happening. An intrusion detection system is detective.
Corrective controls remediate the effect of an incident. Restoring from backup after data corruption is corrective.
Deterrent controls discourage attackers from attempting. Visible cameras, prosecution policies, and "Authorized Personnel Only" signs are deterrent.
Compensating controls substitute for a primary control that cannot be implemented. If MFA is unavailable on a legacy system, increased session monitoring and tighter network restrictions might compensate.

Every mature security program uses a balanced mix. Pure prevention is a fantasy; pure detection is the discipline of cataloging the burglar. The point is layering.

The Pillar-by-Category Matrix

The matrix below crosses control category (rows) against the CIA pillar primarily protected (columns). Each cell shows two or three concrete controls. Most real controls protect multiple pillars; the placement here reflects the dominant effect.

Category ↓ / Pillar →

Confidentiality

Integrity

Availability

Administrative

Data classification policyDefines who can access what.
Background checksReduces insider risk before granting access.

Change management processReviews and approves modifications.
Separation of dutiesNo single person authorizes and executes.

Business continuity planDefines recovery priorities and procedures.
Incident response planPre-arranged response reduces downtime.

Technical

Encryption at rest and in transitRenders data unreadable to unauthorized parties.
Access control lists, RBACEnforces who can read what.
Multi-factor authenticationStrengthens identity verification before access.

Hashing and digital signaturesDetects tampering and proves origin.
Version control with audit logsRecords every change.
Immutable storage (WORM, S3 Object Lock)Prevents modification after write.

Redundant systems and failoverContinues service when components fail.
Automated backupsEnables recovery from data loss.
DDoS mitigation and rate limitingAbsorbs malicious traffic.

Physical

Badge-controlled accessRestricts physical proximity to sensitive systems.
Privacy screens, shreddersPrevents shoulder surfing and dumpster diving.

Tamper-evident sealsDetects physical modification of hardware.
Two-person rule for high-value roomsWitnesses prevent unauthorized changes.

Uninterruptible power supplies, generatorsMaintains operation through power loss.
Fire suppression, HVAC redundancyProtects against environmental failure.

Worked Mappings

Practice placing controls on the matrix. For each control, identify its category, primary pillar, and function.

Multi-factor authentication (MFA). Technical, primarily Confidentiality, primarily Preventive. It protects against unauthorized login. Secondary effect on Integrity through the same mechanism (unauthorized writes are blocked by the same control that blocks unauthorized reads).

Intrusion Detection System (IDS). Technical, primarily Confidentiality and Integrity through detection, Detective by function. The IDS does not prevent attacks; it reports them. The downstream response is what mitigates the breach.

Daily encrypted backups stored offsite. Technical, primarily Availability, primarily Corrective. The backups do not prevent data loss; they enable recovery. Encryption keeps the backup itself confidential, which is a secondary confidentiality effect.

Security awareness training. Administrative, primarily Confidentiality (phishing resistance), Preventive by function. Training also touches integrity (recognizing BEC fraud) and availability (recognizing social engineering that precedes ransomware deployment).

Tamper-evident seals on server rooms. Physical, primarily Integrity, Detective by function. The seals do not stop tampering; they make tampering visible after the fact. The deterrent effect is secondary.

Hot-standby database replica in a second region. Technical, primarily Availability, Corrective by function. The replica does nothing during normal operation; it activates when the primary fails.

"Authorized Personnel Only" sign. Physical and Administrative, all pillars indirectly, Deterrent by function. The sign does not technically stop anyone; it changes the legal status of trespass and discourages casual access.

Choosing Controls for a Risk

Given a specific risk, the matrix becomes a checklist for control selection. The workflow is:

Identify which CIA pillar is most at risk for this asset.
Consider controls from all three categories (administrative, technical, physical) that protect that pillar.
Ensure coverage of multiple functions (preventive, detective, corrective) so that a failure of one does not leave the asset undefended.
Account for the trade-offs identified on the Tensions page: every control strengthens one pillar and usually weakens at least one other.
Document the rationale. The next person to inherit this system needs to know why each control exists.

A practical heuristic

If your defense for an asset consists of a single control from a single cell of the matrix, you are one bug or one policy lapse away from total compromise. Defense in depth means at least one control protecting each relevant pillar, drawn from multiple categories, performing multiple functions.

Bridge to the AAA Model

This page closes the CIA Triad subsection. The next subsection, 01.B AAA Model, picks up where the controls matrix leaves off. AAA stands for Authentication, Authorization, and Accounting: the three operational disciplines that turn the access-control row of this matrix into a working access-control system.

Authentication answers "who are you?" Authorization answers "what are you allowed to do?" Accounting answers "what did you do?" Each one connects to specific cells of the controls matrix and to specific pillars of the CIA Triad. By the end of Module 01, you will have the full vocabulary to describe what every security control is trying to achieve.

For now, you have a complete picture of the CIA Triad: three pillars, the tensions among them, the Parkerian extensions, a map of attacks, and the controls matrix that connects defensive choices to what they protect. This is the foundation. Everything else in Rolling Thunder Security builds on it.