Chapter 1 - Compare and contrast various types of security controls Flashcards
What are the main control categories?
technical, managerial, operational, and physical
What are technical controls?
Technology-based measures such as firewalls and encryption
Where do technical controls play a crucial role?
Within an organisation’s technical systems, including computer networks software, and data management
What is the primary focus of technical controls?
Upholding system integrity, mitigating the risk of unauthorised access, and protecting sensitive data from potential threats
List two types of technical controls
Firewalls and data encryption
What do firewalls do?
Used to protect computer networks from unauthorised access. They monitor incoming and outgoing network traffic, filter and block potential threats, and reduce the risk of unauthorised intrusion
What is data encryption?
It is a technical control that converts sensitive information into a coded form, making it unreadable to unauthorised individuals
What do managerial controls encompass?
Implementation of policies, procedures, and practices by management to guide and direct the activities of individuals and teams. Through effective planning, organising, and performance monitoring, managerial controls ensure that employees are aligned with the organisation’s goals
List three types of managerial controls
Performance reviews, risk assessments, and code of conduct
What is a performance review?
Performance reviews are a managerial control that involves regular assessments of employee performance
What is a risk assessment?
Risk assessments are a managerial control that involves the systematic identification, evaluation, and mitigation of potential risks within an organisation
What is a code of conduct?
A code of conduct is a set of guidelines and ethical standards established by management to govern employee behavior
What are operational controls?
Operational controls revolve around the execution of day-to-day activities and processes necessary for delivering goods and services. They involve managing operational procedures, ensuring adherence to quality standards, enhancing productivity, and optimising efficiency
List three types of operational controls
Incident response procedures, security awareness training, and user access management
What are incident response procedures?
Incident response procedures are operational controls that outline the steps to be followed in the event of a security incident or breach
What is security awareness training?
Security awareness training is an operational control that educates employees about security threats, best practices, and organisational policies
What is user access management?
User access management is an operational control that involves the management and control of user access privileges to systems, applications, and data. It includes processes for user provisioning, access requests, access revocation, and periodic access reviews
Who implements technical controls?
The security team
What are physical controls?
Physical controls are a crucial aspect of overall security, focusing on the protection of an organization’s tangible assets, facilities, and resources. They encompass a range of measures and techniques aimed at preventing unauthorized access, ensuring safety, and mitigating physical security risks
List nine types of physical controls
Access control vestibule, biometric locks, guards/security personnel, security fences, CCTV serveillance systems, mantraps, vehicle barriers, tamper-evident seals, and panic buttons/alarms
What is an access control vestibule?
An access control vestibule is a small, enclosed area with two doors that creates a buffer zone between the outside environment and the secured area. It typically requires individuals to pass through multiple authentication steps (such as presenting an access card or undergoing biometric verification) before they can proceed into the secured area
What is a biometric lock?
Biometric locks use unique physical or behavioral characteristics, such as fingerprints, iris patterns, or facial recognition, to grant access
How do guards provide physical security?
They act as a visible deterrent and can provide physical intervention and response in case of security breaches
How do security fences provide physical security?
They deter unauthorized access to premises or a restricted area
How do CCTV surveillance systems provide physical security?
They use cameras to monitor and record activities in specific areas
How do mantraps provide physical security?
Mantraps are enclosed areas that allow only one person at a time to pass through
What form can vehicle barriers take?
Vehicle barriers can take the form of bollards, gates, tire spikes, or hydraulic barriers
How do tamper-eviden seals provide physical security?
Tamper-evident seals are used to secure containers, equipment, or sensitive areas. These seals are designed to show visible signs of tampering or unauthorized access, such as a broken seal or a change in color, indicating that someone has attempted to gain access or tamper with the secured item
How do panic buttons / alarms provide physical security?
Panic buttons or alarms provide a quick and visible means of alerting security personnel or authorities in case of an emergency or security breach
What are control types?
They are essential components of an effective management system that help organisations achieve their objectives and ensure the smooth operation of processes
List six types of control types
Preventive, deterrent, detective, corrective, compensating, and directive
What are preventive controls?
These controls are designed to prevent problems or risks from occurring in the first place. They focus on eliminating or minimising potential threats before they can cause harm
Give three examples of preventive controls
Examples of preventative controls include firewalls, employee training programs, and quality control checks
What are deterrent controls?
Deterrent controls aim to discourage individuals from engaging in undesirable behaviors or activities. They create a perception of risk or negative consequences to deter potential offenders
Give three examples of deterrent controls
Surveillance cameras, warning signs, and strong passwords and multi-factor authentication
What are corrective controls?
Corrective controls are put in place to address problems or risks after they have been identified. They aim to rectify the situation, mitigate the impact, and restore normalcy
List two examples of corrective controls
A backup and recovery system to restore data after a system failure and implementing fixes or patches to address software vulnerabilities
What are compensating controls?
Compensating controls are alternative measures implemented when primary controls are not feasible or sufficient. They help offset the limitations or deficiencies of other controls
List three examples of compensating controls
Examples of compensating controls include requiring additional layers of approval for financial transactions in the absence of automated control systems, utilizing a secondary authentication method when the primary method fails or is unavailable, and increasing physical security measures when technical controls are compromised
What are directive controls?
Directive controls involve providing specific instructions or guidelines to ensure compliance with policies, procedures, or regulations. They establish a clear framework for employees to follow
Give three examples of directive controls
Examples of directive controls include a code of conduct or ethical guidelines that outline acceptable behavior within an organisation, standard operating procedures (SOPs) that detail step-by-step instructions for completing tasks, and regulatory requirements that mandate specific reporting procedures for financial institutions