Ch11 - 11.01 - Introducing Access Control Flashcards

Ch11 - Access Control

1
Q

Types of Controls

A
  1. Administrative (management) control
  2. Logical (technical) control
  3. Physical control
  4. Operational control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Administrative (management) control

A

An administrative control, also known as a management control, is a written policy, procedure, or guideline. You create administrative controls first when designing your
security policy because they will dictate the other types of controls that need to be used. Examples of administrative controls are the password
policy, hiring policy, employee screening, mandatory vacations, and security awareness training.

Remember that administrative controls
are the security policies being defined, while a logical control (technical) is the implementation of a protection mechanism such as a firewall or antivirus software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Logical (technical) control

A

A logical control, also known as a technical control, is responsible for controlling access to a particular
resource. Examples of logical controls are firewalls, encryption, passwords, intrusion detection systems (IDSs), or any other mechanism that controls access to a resource. Another example is group policies,
which are technical controls that you use to implement the password policy (administrative control) defined by your organization.

User training is imperative for the administrative team that will be implementing the logical controls, such as firewalls and IDSs, because they need to thoroughly understand both the environment in which the
controls will be implemented and the actual technical controls. The training should cover not only the organization’s policies, but also how to properly configure each of these devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Operational control

A

Operational controls are controls that are part of

day-to-day activities needed to keep operations going. A good example of an operational control is backups.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Classes of Controls

A
  1. Preventative
  2. Corrective
  3. Detective
  4. Deterrent
  5. Compensating
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Preventative Controls

A

A preventative control is used to prevent the security
incident from occurring. For example, using a cable lock on a laptop helps prevent the theft of the laptop—this can also be classified as a deterrent control because the visible presence of the lock deters a thief
from attempting to steal the laptop.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Corrective Controls

A

A corrective control is used to correct a security incident and restore a system to its original state before the security incident occurred.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Detective Controls

A

A detective control is used to detect that a security incident is occurring and will typically notify the security officer. For example, you could have a security alarm as a physical detective control or use an intrusion detection system as a technical detective control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Deterrent Controls

A

A deterrent control is a type of control that deters someone from performing an action, but does not necessarily stop them. An example of a deterrent control is a threat of discipline, or even termination of employment, if the security policy is not followed. A visible security camera is another example of a deterrent control—if someone knows they are on camera, they are less likely to perform actions that can get them in trouble.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Compensating

A

A compensating control is a control that is designed to

compensate for the residual risk that may exist after a control has been put in place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

False Positives/False Negatives

A

False positive
The test comes back as true (positive), but the test results are wrong (false), and the test should have been false. For example, antivirus software wrongly blocks a file, thinking it has a virus when it doesn’t. Or a spam filter wrongly flags a message as spam mail when it is not.

False negative
The test returns false (negative), but the results are wrong (false), and in reality it should have come back as true.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Least Privilege

A

The concept of least privilege is to give the minimal permissions needed for users to perform their duties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Separation of Duties

A

Separation of duties means that you ensure that all critical tasks are broken down into different processes and that each process is performed by a different employee.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Job Rotation

A

Your company should enforce mandatory vacations in order to detect fraudulent or suspicious activities within the organization by another employee taking over the job role while someone is on vacation. Mandatory vacations also keep employee morale high and keep the employee refreshed. Just as it is important to enforce mandatory vacations, you should also employ job rotation within the business. Job rotation ensures that different employees are performing different job roles on a regular basis. This will help detect fraudulent activities within the business as well.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly