In today's rapidly evolving cybersecurity landscape, professionals are tasked with managing numerous tools to safeguard systems against a growing array of threats. With diverse implementations of open-source and vendor-specific security controls, each utilizing its own configuration languages and ecosystems, selecting and disposing of the right solutions becomes a complex and time-consuming challenge for network administrators. This results, more often than desired, in human-based faults when security policies are enforced. This thesis presents a formal model of security controls that abstracts security capabilities from a theoretical standpoint. By leveraging software engineering design patterns and best practices, this model enables the specification of security properties for information systems without requiring prior knowledge of the underlying enforcement technologies.