Professer Messer Practice Tests Flash Cards
Security Controls Non-repudiation AAA Zero Trust Gap Analysis Physical security Deception and Disruption Change Management Technical Change Management Public Key Infrastructure Encrypting Data Key Exchange Encryption Technologies Obfuscation Hashing and Digital Signatures Blockchain Technology Certificates
Directive
Directive control types are guidelines offered to help direct a subject towards security compliance. Training users on the proper storage of sensitive files would be an example of a directive control.
Compensating
A compensating control can’t prevent an attack, but it can provide an alternative when an attack occurs. For example, a compensating control would include the re-imaging of a compromised server.
Deterrent
A deterrent discourages an intrusion attempt, but it doesn’t directly prevent the access. An application splash screen or posted warning sign would be categorized as a deterrent.
Data owner
The data owner is accountable for specific data, so this person is often a senior officer of the organization
Data controller
A data controller manages the processing of the data. For example, a payroll department would be a data controller, and a payroll servicing company would be the data processor.
Data steward
The data steward manages access rights to the data. In this example, the IT team would be the data steward.
Data processor
The data processor is often a third-party that processes data on behalf of the data controller.
OSINT
OSINT (Open Source Intelligence) describes the process of obtaining information from open sources such as social media sites, corporate websites, online forums, and other publicly available locations.
Exfiltration
Exfiltration describes the theft of data by an attacker.
Active reconnaissance
Active reconnaissance would show some evidence of data gathering.
For example, performing a ping scan or DNS query wouldn’t exploit a vulnerability, but it would show that someone was gathering information.
Escalation scripting
Scripting and automation can provide methods to automate or orchestrate the escalation response when a security issue is detected.
Log aggregation
Log aggregation provides a method of centralizing evidence and log files for reporting and future analysis. The aggregated log does not inherently provide a response to a security event.
Vulnerability scan
A vulnerability scan will identify any known vulnerabilities that may be associated with a system. However, a vulnerability scan will not identify real-time infections or automate the response.
Due care
Due care describes a duty to act honestly and in good faith. Due diligence is often associated with third-party activities, and due care tends to refer to internal activities.
Statement of work
A statement of work is often used during a professional services engagement to detail a list of specific tasks to complete. In this example, all of the work is part of an internal audit and does not include any mention of third-party professional services.