ELI5: What is Control Diversity?
Don’t rely on just one type of protection. Use a mix — like having both a lock on the door (physical), a rule that says “always lock up” (written policy), and a security camera (technology) all working together.
Definition
Control diversity is a defense-in-depth principle that calls for combining different categories of security controls—technical, administrative, and physical—at each layer of defense. By using diverse control types, an organization ensures that a failure or bypass of one control type (e.g., a technical control that is circumvented) does not leave the system completely unprotected, since other control types remain in effect.
Key Details
- Technical + Administrative + Physical: All three control types should be represented across security layers.
- Example at one layer: firewall rules (technical) + acceptable use policy (administrative) + cable locks (physical).
- Diversity also applies within the same control type: using different vendor products reduces the risk of a single vulnerability affecting all controls.
- Related to vendor diversity—using multiple vendors prevents a single vendor’s vulnerability from compromising all layers.
- Examinees should be able to classify controls as technical, administrative, or physical AND as preventive, detective, or corrective.
Connections
- Parent: defense-in-depth — a key implementation principle within defense-in-depth
- See also: administrative-controls, technical-controls, physical-controls