GCGA Ch. 1 Mastering Security Basics Flashcards
Security Control Categories
Technical, Managerial, Operational, Physical
Security Control Types
Preventive, Deterrent, Detective, Corrective, Compensating, Directive
Access Controls
Controlling who accesses data is how you ensure confidentiality (C) in the CIA triad. Identification, authentication, and authorization are the 3 core identity and access management activities that help ensure only authorized personnel can access data.
Confidentiality
Keeping data secret from all but those authorized to access it. This is accomplished by encryption, identification, authentication, and authorization.
Managerial Controls
Primarily administrative in function. They are typically documented in an organization’s security policy and focus on managing risk.
Operational Controls
Help ensure that the day-to-day operations of an organization comply with the security policy. People implement them.
Physical Controls
Impact the physical world, such as locks on doors, fences, security guards, and other objects that you can physically touch.
Preventive Controls
Attempt to prevent an incident from occurring
Detective Controls
Attempt to detect incidents after they have occurred
Corrective Controls
Attempt to restore normal operations after an incident occurs
Deterrent Controls
Attempt to discourage individuals from causing an incident
Compensating Controls
Alternative controls used when a primary control is not feasible
Directive Controls
Provide instruction to individuals on how they should handle security- related situations that arise
Encryption
Scrambling data to make it unreadable to unauthorized personnel
Examples of technical controls
Encryption, antivirus software, Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs), firewalls, least privilege principle
Examples of managerial controls
Risk assessments, vulnerability assessments
Examples of operational controls
Awareness and training, configuration management, media protection
Examples of physical controls
Barricades, bollards, access control vestibules, lighting, signs, fences, sensors
Examples of preventive controls
Hardening (defense-in-depth, layered security, disabling unnecessary ports & services), training (vs social engineers), security guards, account disablement process (ensures employee account is disabled after employee leaves org), IPS
Examples of detective controls
Log monitoring, SIEM, IDS, security audit (ex. account audit to make sure personnel/technical
Examples of corrective controls
Backups and system recovery, incident handling processes
Examples of deterrent controls
Warning signs, login banners
Examples of compensating controls
Time-based one-time password (temporarily, instead of a smart card)
Examples of directive controls
Policies, standards, procedures, and guidelines, change management
