1.1 Compare and contrast various types of security controls.

Question 1

Control Categories are crucial for ensuring…

Answer 1

• efficiency,
• effectiveness,
• compliance.

Question 2

What are the four main control categories?

Answer 2

The four main control categories are:
- technical,
- managerial,
- operational,
- physical.

Question 3

Technical controls focus on:

Answer 3

• Upholding system integrity
• Mitigating the risk of unauthorized access
• Protecting sensitive data from potential threats

Question 4

Implementing effective technical control measures can:

Answer 4

• Significantly reduce vulnerabilities
• Enhance the security of an organization’s technological infrastructure.

Question 5

Technical controls are typically implemented by

Answer 5

the security team to mitigate risks.

Question 6

Examples of technical controls

Answer 6

• Firewalls
• Data encryption

Question 7

What is Firewall?

Answer 7

Protect computer networks from unauthorized access. They monitor incoming and outgoing network traffic, filter and block potential threats, and reduce the risk of unauthorized intrusion.

Question 8

What is data encryption?

Answer 8

Data encryption converts sensitive information into a coded form, making it unreadable to unauthorized individuals. Even intercepted data remains secure and inaccessible without the decryption key.

Question 9

What do managerial controls encompass?

Answer 9

Managerial controls encompass the implementation of policies, procedures, and practices by management to guide and direct the activities of individuals and teams.

Question 10

Managerial controls ensure that employees are…

Answer 10

are aligned with the organization’s goals, thereby minimizing the potential for risks and enhancing overall operational safety.

Question 11

Examples of managerial controls

Answer 11

• performance reviews,
• risk assessments,
• code of conduct.

Question 12

What do performance reviews involve?

Answer 12

Involves regular assessments of employee performance. By providing feedback, setting goals, and identifying areas for improvement, performance reviews help align employee activites with organizational objectives and ensure that employees are performing effectively.

Question 13

What do risk assessments involve?

Answer 13

Involves the systematic identification, evaluation, and mitigation of potential risks within an organization. They help with identifying vulnerabilities, assessing the likelihood and impact of risks, and developing strategies to minimize or mitigate them.

Question 14

What can management achieve by conducting regular risk assessments?

Answer 14

Management can proactively identify and address potential threats, reducing the organization’s overall risk exposure.

Question 15

What is the code of conduct?

Answer 15

Set of guidelines and ethical standards established by management to govern employee behavior.

Question 16

What is the code of conduct defining?

Answer 16

The code of conduct is defining acceptable behavior.

Question 17

What is the code of conduct promoting?

Answer 17

The code of conduct is promoting ethical conduct.

Question 18

What is the code of conduct reducing?

Answer 18

The code of conduct is reducing the risk of misconduct withing the organization.

Question 19

What are operational controls?

Answer 19

Operational controls are the processes and actions used to manage and oversee day-to-day activities within an organization. They ensure that tasks are performed according to set standards, help maintain quality, enhance productivity, and improve efficiency. These controls focus on the practical execution of operations, such as managing workflows, monitoring performance, and optimizing resources, to ensure smooth and effective delivery of goods and services.

Question 20

Examples of operational controls

Answer 20

• incident response procedures,
• security awareness training,
• user access management.

Question 21

Incident response procedures

Answer 21

Incident response procedures guide organizations in detecting, responding to, and recovering from security incidents. They help minimize the impact of breaches, mitigate risks, and restore normal operations efficiently.

Question 22

Security awareness training

Answer 22

Security awareness training educates employees on threats, best practices, and policies to build a security-focused culture. It enhances their ability to identify and respond to threats, reducing risks from human error and strengthening the organization’s defense against cyber threats.

Question 23

User access management

Answer 23

User access management manages user access to systems, applications, and data. It includes provisioning, access requests, revocation, and periodic reviews to ensure users have appropriate access for their roles. Effective user access management reduces unauthorized access risks and protects sensitive information.

Question 24

Physical controls

Answer 24

Physical controls are security measures that protect an organization’s tangible assets and facilities. They prevent unauthorized access, ensure safety, and reduce physical security risks using tools like access control systems (e.g., key cards, biometrics, PIN codes) to restrict entry to sensitive areas. These controls are “physical” because they involve touchable elements.

Question 25

Examples of physical controls

Answer 25

• access control vestibule,
• biometric locks,
• guards/security personnel,
• security fences,
• closed-circuit television (CCTV) surveillance systems,
• mantraps,
• vehicle barriers,
• tamper-evident seals,
• panic buttons/alarms.

Question 26

Access control vestibule

Answer 26

A secure area with two doors that requires multiple authentication steps before granting access to restricted zones.

Question 27

Biometric locks

Answer 27

Locks that use unique physical traits (fingerprints, iris, facial recognition) to verify identity and grant access.

Question 28

Guards/security personnel

Answer 28

Personnel stationed at entry points to monitor security, enforce protocols, and respond to breaches.

Question 29

Security fences

Answer 29

Physical barriers that prevent unauthorized access, often reinforced with features like barbed wire or electric currents.

Question 30

CCTV surveillance systems

Answer 30

Cameras placed around a facility to monitor and record activities, helping identify security breaches.

Question 31

Mantraps

Answer 31

Enclosed areas with two doors that control access, ensuring only authorized individuals pass through.

Question 32

Vehicle barriers

Answer 32

Barriers, such as bollards or gates, that control vehicle access to a facility.

Question 33

Tamper-evident seals

Answer 33

Seals on containers or equipment that show visible signs if tampered with.

Question 34

Panic buttons/alarms

Answer 34

Emergency devices that alert security or authorities in case of a breach or emergency.

Question 35

Control types

Answer 35

Control types are essential components of an effective management system that help organizations achieve their objectives and ensure the smooth operation of processes.

Question 36

What are the six types of security controls?

Answer 36

Preventive
Deterrent
Detective
Corrective
Compensating
Directive

Question 37

What is the purpose of preventive controls?

Answer 37

To eliminate or minimize potential threats before they occur, focusing on proactive measures to avoid security breaches or accidents.

Question 38

Give three examples of preventive controls.

Answer 38

1. Firewall installations to prevent unauthorized access.
2. Employee training programs to teach safety procedures and prevent accidents.
3. Quality control checks in manufacturing processes to prevent defects.

Question 39

What do deterrent controls aim to do?

Answer 39

To discourage individuals from engaging in undesirable behaviors or actions by creating a perception of risk or negative consequences.

Question 40

Provide three examples of deterrent controls.

Answer 40

1. Surveillance cameras in public areas to discourage criminal activity.
2. Warning signs indicating the presence of a security system to deter burglars.
3. Strong passwords and multi-factor authentication to discourage unauthorized access.

Question 41

What is the primary purpose of detective controls?

Answer 41

To identify and detect problems, incidents, or risks that have already occurred. These controls help uncover issues and anomalies promptly for corrective action.

Question 42

Name three examples of detective controls.

Answer 42

1. Security Information and Event Management (SIEM) systems that aggregate and correlate log data to detect suspicious behaviors.
2. Regular financial audits to uncover irregularities or fraud.
3. Intrusion Detection Systems (IDS) that monitor and alert when unusual activity is detected on a network.

Question 43

What is the role of corrective controls?

Answer 43

To address and rectify problems or risks after they have been identified. They mitigate the impact of incidents and help restore normal operations.

Question 44

Give three examples of corrective controls.

Answer 44

1. Applying patches or updates to fix software vulnerabilities.
2. Implementing a backup and recovery system to restore data after a failure.
3. Reconfiguring firewall rules after detecting unauthorized traffic patterns.

Question 45

What are compensating controls?

Answer 45

Alternative measures implemented when primary controls are unavailable, infeasible, or insufficient. These controls help offset limitations or deficiencies in other controls.

Question 46

Provide three examples of compensating controls.

Answer 46

1. Requiring additional layers of approval for financial transactions when automated controls are unavailable.
2. Utilizing a secondary authentication method when the primary method fails.
3. Increasing physical security measures, such as additional guards, when technical controls are compromised.

Question 47

What do directive controls involve?

Answer 47

Providing specific instructions or guidelines to ensure compliance with organizational policies, procedures, or regulations. These controls guide employee actions and decision-making processes.

Question 48

List three examples of directive controls.

Answer 48

1. Codes of conduct or ethical guidelines that define acceptable behavior within the organization.
2. Standard Operating Procedures (SOPs) that outline step-by-step instructions for tasks.
3. Regulatory requirements mandating specific reporting procedures, such as for financial institutions.

Question 49

What are Standard Operating Procedures (SOPs)?

Answer 49

Step-by-step instructions that standardize processes, ensuring consistency and compliance with organizational or regulatory requirements.