Control Types

Question 1

Preventive (Control Type)

Answer 1

Blocks access to a resource.

Examples of four types:

Technical ie; firewalls
Managerial ie; Security policy
Operational ie; Guard shack checks all IDs
Physical ie; Locks on doors enabled

Question 2

Deterrent (Control Type)

Answer 2

Discourages an intrusion attempt.
Does not directly prevent access.

Makes attacker think twice.

Example of four types:
Technical ie; Application splash screens
Managerial ie; Threat of demotion
Operational ie; front reception desk
Physical ie; Posted warning signs

Question 3

Detective (Control Type)

Answer 3

Identify, alert and log intrusion attempt.
May not prevent access.

Technical ie; Collect and review system logs
Managerial ie; Review log in reports
Operational ie; Regularly patrol property
Physical ie; Enable motion detectors

Question 4

Corrective (Control Type)

Answer 4

Occurs after event.
Continue with minimum downtime or reverse impact.

Technical ie; restore from backups mitigating ransomware infection
Managerial ie; Policies for reporting security issues
Operational ie; Contact law enforcement
Physical ie; Use fire extinguisher

Question 5

Compensating (Control Type)

Answer 5

Issue has occurred and other means are used to temporarily mitigate the issue.
Prevents continued exploitation of issue.

Technical ie; Firewall blocks a specific app instead of patching it
Managerial ie; Implement separation of duties
Operational ie; Require simultaneous guard duties
Physical ie; Generator used after power outages

Question 6

Directive (Control Type)

Answer 6

A relatively weak security control.
Directs a subject towards a security compliance.
“Do this please….”

Technical ie; Store all sensitive fils in a protected folder
Managerial ie; Create compliance policies and procedures
Operational ie; Train users on proper security policy
Physical ie; Post a sign “For Authorized Personnel Only”

Question 7

Control Types

Answer 7

Different categories of security risks:
-Technical
-Managerial
-Operational
-Physical

Can combine types.
New types can evolve.
Different organizations use different types.

Used to protect assets: Data, physical or computer systems.
Prevents security events
Minimizes impact
Limits damage

Question 8

Technical Controls

Answer 8

Implemented using some type of system.
Examples:
Operating system controls
Firewalls
Anti-virus

Question 9

Managerial Controls

Answer 9

Administrative controls associated with security design and implementation.

Examples:
Security policies
SOPs

Question 10

Operational Controls

Answer 10

Uses people to implement.

Examples:
Security guards
Awareness programs

Question 11

Physical Controls

Answer 11

Limits physical access

Examples:
Guard shack
Fences
Locks
Badge readers