Controlling security in an organization is part risk analysis. NIST Special Publication 800-37 defines a framework for guidelines for applying Risk Management Framework (RMF) to Federal Information Systems in a six-step process. NIST is a standardization body therefore; their recommendations are respectable for organizations to follow also. The second step of the process is to select security controls. Security controls are based on the first step of security categorization. The security categorization is based on an impact analysis. The security controls that may be put into place and adjusted as needed are deterrent controls, preventative controls, detective controls, compensating controls, corrective controls, recovery controls, and directive controls.
Security control implementation is the third step of the process for applying the RMF. This can be done with access controls that are categorized into categories: physical controls, logical/technical controls, or administrative controls. An access control is any hardware, software, or administrative policy or procedure that controls access to resources.
The fourth step in applying RMF is to assess the security controls to determine if they were correctly implemented and producing the anticipated outcome. The fifth step is to authorize the information system operation. And, lastly, the security controls must be monitored on an on-going basis and measured for effectiveness and security impact.