To protect their information assets, organizations implement controls, or defense mechanisms (also called countermeasures).

These controls are designed to protect all of the components of an information system, including data, software, hardware, and networks.

Because there are so many diverse threats, organizations utilize layers of controls, or defense-in-depth.

Controls are intended to prevent accidental hazards, deter intentional acts, detect problems as early as possible, enhance damage recovery, and correct problems.

It is important to emphasize that the single most valuable control is user education and training. Effective and ongoing education makes every member of the organization aware of the vital importance of information security.

There are three major types of controls: physical controls, access controls, and communications controls.

Figure below illustrates these controls. In addition to applying controls, organizations plan for business continuity in case of a disaster, and they periodically audit their information resources to detect possible threats.