5.7 Compare and contrast various types of controls Flashcards
Deterrent [A Class of Controls]
A deterrent control is a type of control that deters someone from performing an action but does not necessarily stop them. An example of a deterrent control is a threat of discipline, or even termination of employment, if the security policy is not followed. A visible security camera is another example of a deterrent control—if someone knows they are on camera, they are less likely to perform actions that can get them in trouble
Preventive [A Class of Controls]
A preventative control is used to prevent the security incident from occurring. For example, using a cable lock on a laptop helps prevent the theft of the laptop—this can also be classified as a deterrent control because the visible presence of the lock deters a thief from attempting to steal the laptop.
Detective [A Class of Controls]
A detective control is used to detect that a security incident is occurring and will typically notify the security officer. For example, you could have a security alarm as a physical detective control or use an intrusion detection system as a technical detective control.
A security camera is a good example of detective control. A store manager who notices a pattern of a cash drawer coming up short when attended by a particular clerk can easily look at video of the clerk’s actions throughout the day to detect potential theft. An access log and an alert system can quickly detect and notify management of attempts by employees or outsiders to access unauthorized information or parts of a building.
Corrective [A Class of Controls]
A corrective control is used to correct a security incident and restore a system to its original state before the security incident occurred.
Coupled with preventive and detective controls, corrective controls help mitigate damage once a risk has materialized. An organization can document its policies and procedures, enforcing them by means of warnings and employee termination when appropriate. When managers wisely back up data they can restore a functioning system in the event of a crash. If a disaster strikes, business recovery can take place when an effective continuity and disaster management plan is in place and followed.
Compensating [A Class of Controls]
A compensating control is a control that is designed to compensate for the residual risk that may exist after a control has been put in place
Technical (Logical) [A Type of Security Control]
A logical control, also known as a technical control, is responsible for controlling access to a particular resource. Examples of logical controls are firewalls, encryption, passwords, intrusion detection systems (IDSs), or any other mechanism that controls access to a resource. Another example is group policies, which are technical controls that you use to implement the password policy (administrative control) defined by your organization.
User training is imperative for the administrative team that will be implementing the logical controls, such as firewalls and IDSs because they need to thoroughly understand both the environment in which the controls will be implemented and the actual technical controls. The training should cover not only the organization’s policies, but also how to properly configure each of these devices.
Administrative (Management) [A Type of Security Control]
An administrative control, also known as a management control, is a written policy, procedure, or guideline. You create administrative controls first when designing your security policy because they will dictate the other types of controls that need to be used. Examples of administrative controls are password policy, hiring policy, employee screening, mandatory vacations, and security awareness training.
Physical [A Type of Security Control]
Physical controls are used to control access to the property, building(s), or campus of the organization. Examples of physical controls are doors, locks, fences, security guards, lockdown cables (cable locks), and video surveillance equipment.
Bonus - Operational Control [A Type of Security Control]
Operational controls are controls that are part of the day-to-day activities needed to keep operations going. A good example of operational control is backups.