Controls Flashcards
Controls
The policies, procedures, mechanisms, systems, and other measures designed to reduce risk are known as controls .
Three types of controls
1-Physical
2-Technical
3- Administrative
Preventive control
Used to prevent the occurrence of an unwanted event
Detective Control
Used to record both wanted and unwanted events. This control doesn’t enforce activity, but make event known.
Deterrent Control
Exists to convince someone that they should not perform some unwanted activity.
Corrective Controls
Activated (manual or auto) after some unwanted event has occurred
Compensating controls
Enacted because other direct control cannot be used.. It address the risk related to the original control
Recovery Control
Used to restore the state of a system or asset to its re-incident state..
Example : Usage of tool to remove virus from a computer
Why Auditors prefer preventive controls over Detective controls
because preventives actually block unwanted events.
Why Auditors prefer Detective controls over deterrence controls
because detective controls record events while deterrent controls do not.
Key difference between preventive and deterrent controls
A deterrent control requires knowledge of the control by the potential violator—it only works if they know it exists. A preventive control works regardless of whether or not the violator is aware of it.
Categories of Controls
Automatic and manual. IT auditors and security professional prefer automatic controls to manual.
When should control objective established
Prior to the control themselves.
COBIT 5 control framework
To ensure that IT is aligned with business objectives, the COBIT 5 controls framework of five principles and 37 processes is an industry-wide standard.
The five principals
1- Meeting Stakeholder Needs 2- Covering The Enterprise End-to-End 3- Applying a single, Integrated Framework 4- Enabling a holistic approach 5-Separating governance from Management.
