Domain 1: Security and Risk Management; Access Control Defensive Categories and Types Flashcards
What are the three access control categories?
Administrative, technical, and physical.
What are administrative (also called directive) controls?
Administrative controls are implemented by creating and following organizational policy, procedure, and regulation. User training and awareness also fall into this category.
What are technical controls?
Technical controls are implemented using software, hardware, or fimrewre that restricts logical access on an information technology system. Examples include firewalls, routers, encryption, etc.
What are physical controls?
Physical controls are implemented with physical devices, such as locks, fences, gates, security guards, etc.
What are the six access control types?
Preventive, detective, corrective, recovery, deterrent, compensating.
What is a preventive (preventative) control?
Preventive controls prevent actions from occurring. It applies restrictions to what a potential user, either authorized or unauthorized, can do. The assigning of privileges on a system is a good example of a preventive control because having limited privileges prevents a user from accessing and performing unauthorized actions on the system. An example of an administrative preventive control is a pre-employment drug screening.
What is a detective control?
Detective controls are controls that alert during or after a successful attack. Intrusion detection systems alerting afer a successsful attack, closed-circuit television cameras (CCTV) that alert guards to an intruder, and a bulding alarm system that is triggered by an intruder are all examples of detective controls.
What are corrective controls?
Corrective controls work by correcting a damaged sysem or process. Corrective controls work hand in hand with detective controls. Antivirus software has both components. First, the antivirus software runs a scan and uses its definition file to detect whether there is any software that matches it’s virus list. If it detects a virus, the corrective controls take over, places the suspicious software in quarntine, and deletes it from the system.
What are recovery controls?
After an incident, recovery controls need to be taken in order to restore functionality of the systems and organization.
What are deterrent controls?
Deterrent controls deter a user from performing actions on a system. Example is a beware of dog sign. A large fine for speeding. A sanction policy that makes users understand that they will be fired if they are caught surfing illicit or illegal Web sites is a deterrent.
What are compensating controls?
A compensating control is an addtional security control put in place to compensate for weaknesses in other controls. For example, surfing explicit Web sites would be a cause for an employee to lose their job. This would be an administrative deterrent. However, by also adding a review of each employee’s Web logs each day, we are adding a detective compensating control to augment the administrative control of firing an employee who surfs inappropriate Web sites.
What category and type of control is a sanction policy?
Administrative deterrent.
What category and type of control is a post-employment random drug test?
Administrative detective.
What category and type of control is a pre-employment random drug test?
Administrative preventive.
