1.1 Compare and contrast various types of security controls

Question 1

What are the Exam Objectives (Domains)?

Answer 1

1.0 General Security Concepts 12%
2.0 Threats, Vulnerabilities, and Mitigations 22%
3.0 Security Architecture 18%
4.0 Security Operations 28%
5.0 Security Program Management and Oversight 20%

Question 2

What are the Categories of General Security Controls

Answer 2

• Technical
• Managerial
• Operational
• Physical

Question 3

What are the Control Types in General Security Controls?

Answer 3

Control types
- Preventive
- Deterrent
- Detective
- Corrective
- Compensating
- Directive

Question 4

What are Security controls?

Answer 4

Security risks are out there
– Many different categories and types to consider
* Assets are also varied
– Data, physical property, computer systems
* Prevent security events, minimize the impact,
and limit the damage
– Security controls

Question 5

Control categories:
Technical controls

Answer 5

– Controls implemented using systems
– Operating system controls
– Firewalls, anti-virus

Question 6

Control categories:
Managerial controls

Answer 6

Administrative controls associated with security design
and implementation
– Security policies, standard operating procedures

Question 7

Control categories:
Operational controls

Answer 7

Controls implemented by people instead of systems
– Security guards, awareness programs

Question 8

Control categories:
Physical controls

Answer 8

Limit physical access
– Guard shack
– Fences, locks
– Badge readers

Question 9

Control Types
Preventive

Answer 9

• Block access to a resource
  – You shall not pass
  Prevent access
  – Firewall rules
  – Follow security policy
  – Guard shack checks all identification
  – Enable door locks

Question 10

Control Types
Deterrent

Answer 10

Deterrent
– Discourage an intrusion attempt
– Does not directly prevent access
* Make an attacker think twice
– Application splash screens
– Threat of demotion
– Front reception desk
– Posted warning signs

Question 11

Control Types
Detective

Answer 11

Detective
– Identify and log an intrusion attempt
– May not prevent access
* Find the issue
– Collect and review system logs
– Review login reports
– Regularly patrol the property
– Enable motion detectors

Question 12

Control Types
Corrective

Answer 12

Corrective
– Apply a control after an event has been detected
– Reverse the impact of an event
– Continue operating with minimal downtime
* Correct the problem
– Restoring from backups can mitigate a ransomware
infection
– Create policies for reporting security issues
– Contact law enforcement to manage criminal activity
– Use a fire extinguisher

Question 13

Control Type
Compensating

Answer 13

• Compensating
  – Control using other means
  – Existing controls aren’t sufficient
  – May be temporary
• Prevent the exploitation of a weakness
  – Firewall blocks a specific application instead of
  patching the app
  – Implement a separation of duties
  – Require simultaneous guard duties
  – Generator used after power outage

Question 14

Control Types
Directive

Answer 14

Directive
– Direct a subject towards security compliance
– A relatively weak security control
* Do this, please
– Store all sensitive files in a protected folder
– Create compliance policies and procedures
– Train users on proper security policy
– Post a sign for “Authorized Personnel Only”

Question 15

Managing security controls

Answer 15

These are not inclusive lists
– There are many categories of control
– Some organizations will combine types
* There are multiple security controls for each category and type
– Some security controls may exist in multiple types or categories
– New security controls are created as systems and processes evolve
– Your organization may use very different controls