Control Objectives 2 Flashcards
Directive controls
Are proactive actions taken to cause or encourage a desirable event and outcome occur. Are broad in nature, used to increase the effectiveness of other controls, examples: frameworks, models, polices, guidance statements
Control category - operational
Operational controls are aligned with a process that are primaily implemented and executed by people (change management, testing, training)
Control classification- corrective
Corrective controls minimize the impact of a threat agent or modify or fix situation
Control category- technical
Technical control mechanism are implemented using hardware, software and/or firmware components, can be native or supplementary (firewalls, cryptography, 2FA)
Control classification - preventive
Preventive controls stop a threat agent from being successful
Layered security
Layered security (defense-in-depth) is the design and implementation of multiple overlapping layers of diverse controls
Control category-Managerial
Managerial controls relate to risk management, governance, oversight, strategic alignment and decision making
Control category physical
Physical controls are designed to address physical interactions. Generally related to buildings and equipment
Control classification : Deterrent
Deterrent controls discourage a threat agent from acting
Control classification : Detective controls
Detective controls identify and report a threat agent or a threat action
Compensating controls
Compensating controls are implemented in lieu of a recommended control that provided equivalent or comparable protection, can be supplemental, short-term or temporarly
Control type examples - preventive
Technical preventive => firewall (operating by system)
Managerial preventive => on-boarding policy (policies)
Operational preventive => guard shack (by person)
Physical preventive => door lock (made by equipment)
Blocks access to a resource, you shall not pass
Control types examples - deterrent
Technical deterrent => splash screen (pop up screen for example requiring to put your credentials to gran access - software control)
Managerial deterrent => demotions (process of reducing for a lower grade)
Operational deterrent => reception desk (performing by people)
Physical deterrent => warning signs (building equipment)
This type of control does NOT encourage intrusion to go, this controls make you think twice before attack, does NOT directly prevent access.
Control types examples - deterrent
Technical deterrent => splash screen (pop up screen for example requiring to put your credentials to gran access - software control)
Managerial deterrent => demotions (process of reducing for a lower grade)
Operational deterrent => reception desk (performing by people)
Physical deterrent => warning signs
This type of control does NOT encourage intrusion to go, this controls make you think twice before attack, does NOT directly prevent access.
Control type examples - detective
Technical detective => system logs (performed by software)
Managerial detective => review login reports
Operational detective=> property patrols (made by people)
Physical detective => motion detectors (equipment)
Warning and log information about the attack.finding issue.
