Controls

Question 1

4 categories of controls

Answer 1

Avoidance
Deterrence
Resistance
Responsive

Question 2

Avoidance controls

Answer 2

Seek to keep threat actor from contact with the asset.

Question 3

Deterrence controls

Answer 3

Keep contact event from becoming a threat event.

Limits probability of action, limiting threat event frequency.

Question 4

Resistance controls

Answer 4

Decreases the vulnerability of an asset. Keep threat event from becoming a loss event

Limits LEF.

Question 5

Responsive controls

Answer 5

Limit the amount of loss an organization experiences.

Break threat actors contact with asset.

Limits loss magnitude

Question 6

Avoidance control examples

Answer 6

Physical security, network segmentation, reducing the number of assets

Question 7

Deterrence examples

Answer 7

AUP, network monitoring, security cameras, data masking, guards, logon screens

Question 8

Resistance examples

Answer 8

Access management, authentication, config management, patching, bulletproof glass

Question 9

Responsive examples

Answer 9

Insurance, redundancy, IR, encryption, data destruction, crisis communication, agreements for discounted credit monitoring and legal defense costs, PR campaigns.

Question 10

What are controls?

Answer 10

Technical elements deployed to keep bad things from happening or reduce loss.

Question 11

Avoidance controls limit…

Answer 11

Threat event frequency

Question 12

Deterrence controls limit…

Answer 12

Probability of action and threat event frequency

Question 13

Resistance controls limit…

Answer 13

Loss event frequency

Question 14

Responsive controls limit…

Answer 14

Loss magnitude and risk