5.1: Compare and contrast various types of controls.

Question 1

Managerial

Answer 1

Managerial controls are those that are based on overall risk management. These security controls focus on the management of risk or the management of the cybersecurity system.

Question 2

Operational

Answer 2

An operational control is a policy or procedure used to limit security risk. These security controls are primarily implemented and executed by people, as opposed to systems.

Question 3

Technical

Answer 3

A technical control uses some form of technology to address a physical security issue. These security controls are primarily implemented and executed by the information system through mechanisms contained in its hardware, software, or firmware components.

Question 4

Control Types: Preventative

Answer 4

A preventative control is one that prevents specific actions from occurring, such as a mantrap prevents tailgating. Preventative controls act before an event, preventing it from advancing. A firewall is an example of a preventative control, as it can block access to a specific resource.

Question 5

EXAM TIP

Answer 5

The key element in passing Exam Objective 5.1 is the ability to compare and contrast various types of controls. How are they alike (compare) and how are they different (contrast)? Understanding the differences can be subtle. For instance, do laws with punishment, if enforced, prevent attacks? Laws may deter attackers, but they do not prevent them from attacking if the deterrent doesn’t dissuade them from deciding to attack.

Question 6

Control Types: Corrective

Answer 6

A corrective control is used after an event, in an effort to minimize the extent of damage. Load balancers and redundant systems act to reduce the risk from system overloading and are thus corrective controls. Backups are a prime example of a corrective control, as they can facilitate rapid resumption of operations.

Question 7

Control Types: Deterrent

Answer 7

A deterrent control acts to discourage the attacker by reducing the likelihood of success from the perspective of the attacker. Any control that increases the cost to an attacker is a deterrent control. An example would be laws and regulations that increase punishment, increasing risk and costs for the attacker. Another example would be the use of salts for password hashes to increase the cost of building rainbow tables.

Question 8

Compensating

Answer 8

A compensating control is one that is used to meet a requirement when there is no control available to directly address the threat. Fire suppression systems do not prevent fire damage, but if properly employed, they can mitigate or limit the level of damage from fire.

Question 9

Physical

Answer 9

A physical control is one that prevents specific physical actions from occurring, such as a mantrap prevents tailgating. Physical controls prevent specific human interaction with a system and are primarily designed to prevent accidental operation of something.