1B - Comparing Control Types Flashcards
What are the 3 main security control types?
Managerial, operational and technical
What are managerial controls?
Written by managers. Create organisational policies and procedures to reduce risk within companies. They incorporate regulatory frameworks.
2 examples of managerial controls.
- Annual Risk Assessment - each department identifies risks and risk treatments and places them in a risk register. These are reviewed annually.
- Penetration testing / vuln. scanning (N.B Difference is that penetration testing is intrusive since it exploits vulnerabilities, rather than just detects them)
What are operational controls?
Executed by company personnel during their day-to-day.
3 examples of operational controls.
- Annual Security Awareness Training
- Change Management - Change Advisory Board (CAB) assists with prioritisation of changes and ensure that they don’t cause security risks to the company.
- Business Contingency Plan - planning to keep business up and running in events of disaster by identifying any single point of failure that many prevent a company from being operational.
What are technical controls?
Implemented by the IT Team to reduce the risk to the business.
5 examples of technical controls.
- Firewall rules.
- Antivirus/antimalware.
- Screen savers
- Screen filters
- Intrusion Prevention / Detection Systems (IPS / IDS)
Give 2 examples of deterrent controls?
- Motion sensors that switch on a light
2. CCTV warning signs
What are detective controls?
Used to investigate an incident that has happened.
2 examples of detective controls.
- CCTV
2. Log files (stored on Write-Once Read-Many (WORM) files so that they cannot be tampered with).
What are corrective controls?
Actions taken to recover from an incident.
Other names for compensating controls?
Alternative / Secondary Controls
What are compensating controls?
Controls used instead of a primary control that has failed or is not available.
What are preventative controls?
Controls that deter attack.
2 examples of preventative controls.
- Disabling User Accounts
2. Operating System Hardening - ensuring OS is fully patched and unused features are turned off.