What Is a Security Control?
Understanding preventive, detective, and corrective security controls with practical Mac administration examples
A security control is any safeguard, mechanism, or process designed to protect an organization’s information systems and data. Controls are the building blocks of every security framework – from CIS Controls to NIST 800-53 to ISO 27001. For Mac administrators, understanding control types helps you evaluate whether your fleet management strategy has the right coverage or leaves critical gaps.
The Three Functional Types
Security controls are classified by when they act relative to a threat:
Preventive Controls
Preventive controls stop security incidents before they occur. They are your first line of defense, designed to block unauthorized actions outright.
Mac admin examples:
- Gatekeeper – Prevents unsigned or unnotarized applications from launching. This is the most visible preventive control on macOS.
- MDM Configuration Profiles – Enforce security baselines such as password complexity, screen lock timeouts, and disabling guest accounts before a user can weaken them.
- FileVault Encryption – Prevents data access on lost or stolen devices by encrypting the startup volume.
- Managed Login Items – Block unauthorized launch agents and daemons from persisting on the system.
# Verify Gatekeeper status (preventive control)
spctl --status
Detective Controls
Detective controls identify and alert on security incidents that are occurring or have already occurred. They do not prevent the event, but they ensure you know about it.
Mac admin examples:
- XProtect – Scans applications and files against known malware signatures and alerts/blocks when a match is found.
- Unified Logging – Records system events that can be reviewed for suspicious activity such as unauthorized privilege escalation.
- osquery – Runs scheduled queries across your fleet to detect configuration drift, unexpected software installations, or anomalous processes.
- Santa – Monitors binary executions against allow/deny rules and logs decisions for audit purposes.
# Query recent authorization events (detective control)
log show --predicate 'subsystem == "com.apple.authd"' --last 1h
Corrective Controls
Corrective controls respond to and remediate security incidents after detection. They limit damage and restore systems to a secure state.
Mac admin examples:
- Nudge – Prompts users to install required macOS updates, escalating urgency as deadlines approach, correcting the “unpatched” state.
- MDM Remote Wipe – Erases a compromised or lost device to prevent data exposure.
- MRT (Malware Removal Tool) – Automatically removes known malware families that have already been installed on the system.
- FileVault Recovery Key Rotation – After using a recovery key (indicating a potential incident), rotating it corrects the exposed-key risk.
# Check for pending software updates (corrective action available)
softwareupdate --list
Control Implementation Categories
Beyond functional type, controls are also categorized by how they are implemented:
| Category | Description | Mac Admin Examples |
|---|---|---|
| Technical | Implemented through technology and automation | Gatekeeper, FileVault, XProtect, MDM profiles |
| Administrative | Implemented through policies, procedures, and training | Acceptable use policies, security awareness training, incident response plans |
| Physical | Implemented through physical safeguards | Cable locks for Mac minis, server room access controls, secure disposal of storage devices |
A mature security program uses all three categories. Technical controls are the strongest because they cannot be bypassed by human error, but they must be backed by administrative policies that define why the control exists and physical controls that protect the hardware itself.
Why Controls Matter for Compliance
Every compliance framework is built on controls. When an auditor evaluates your Mac fleet, they are assessing whether you have appropriate controls in each functional category:
- Are preventive controls in place? – “Show me your MDM configuration profiles and Gatekeeper enforcement.”
- Are detective controls active? – “How do you detect malware or unauthorized software on endpoints?”
- Are corrective controls defined? – “What happens when a device is compromised or falls out of compliance?”
Gaps in any category create risk. A fleet with strong preventive controls (locked-down profiles) but no detective controls (no logging or monitoring) cannot identify when those preventive measures fail. Similarly, detective controls without corrective controls means you can see problems but cannot respond.
Tip: Map your existing Mac management tools to all three control types. If one column is empty, that is where your security investment should go next.
Defense in Depth
The principle of defense in depth means layering multiple controls so that the failure of one does not result in a complete security breakdown. On a managed Mac, this might look like:
- Preventive – Gatekeeper blocks unsigned apps from launching.
- Preventive – MDM profile restricts app installations to managed sources.
- Detective – XProtect scans anything that does execute for known malware signatures.
- Detective – osquery flags unexpected new processes to your SIEM.
- Corrective – MRT removes detected malware; MDM triggers a compliance remediation workflow.
No single control is infallible. Layering them across functional types and implementation categories creates resilience.
Next Steps
- See how controls are organized into a framework: The CIS Controls: A Mac Admin’s Guide
- Apply specific controls to your macOS fleet: CIS Benchmarks for macOS