Section 1: General Security Concepts

Question 1

These are controls implemented through technology. They are often hardware or software based.

Examples: Firewalls, encryption, intrusion detection systems, authentication mechanisms, access controls.

Security Controls: Categories, Section 1.1

Answer 1

Technical

Question 2

These controls involve strategies, governance, and the organizational approach to information security. They ensure the right policies and procedures are in place.

Examples: Risk assessments, security policies and procedures, security training programs, vendor management.

Security Controls: Categories, Section 1.1

Answer 2

Managerial

Question 3

These controls are often associated with day-to-day tasks and procedures that users or administrators follow.

Examples: Backup and recovery procedures, user awareness training, incident response procedures, change management.

Security Controls: Categories, Section 1.1

Answer 3

Operational

Question 4

These controls are designed to protect the environment of information assets.

Examples: Security guards, fences, locks, CCTV cameras, biometric access controls, secure server rooms, fire suppression systems

Security Controls: Categories, Section 1.1

Answer 4

Physical

Question 5

These controls are designed to ensure that an incident or breach does not occur in the first place.

Examples: Firewalls, access controls, strong password policies, encryption, and security training.

Security Controls: Types, Section 1.1

Answer 5

Preventative

Question 6

While they might not prevent a threat actor from performing a malicious act, they discourage them by increasing the risk or reducing the reward.

Examples: Warning banners (indicating legal consequences of unauthorized access), visible surveillance cameras, and “Account will be locked after three unsuccessful login attempts” mechanisms.

Security Controls: Types, Section 1.1

Answer 6

Deterrent

Question 7

These controls are designed to discover unwanted or unauthorized activity.

Examples: Intrusion detection systems (IDS), audit logs, security information and event management (SIEM) systems, and anomaly detection.

Security Controls: Types, Section 1.1

Answer 7

Detective

Question 8

Once a security incident has been detected, these controls aim to limit the extent of the damage and take action to resolve the situation.

Examples: Anti‐virus software that quarantines malware, incident response teams, backup/restoration tools, and patches for known vulnerabilities.

Security Controls: Types, Section 1.1

Answer 8

Corrective

Question 9

These controls come into play when primary controls are deemed ineffective or unfeasible. They provide alternative measures to achieve the same or similar security objectives.

Examples: If a system cannot support multifactor authentication (a primary control), a stringent password policy and continuous user behavior monitoring might be applied.

Security Controls: Types, Section 1.1

Answer 9

Compensating

Question 10

These controls are used to guide or constrain user actions, usually by stipulating mandatory or recommended actions.

Examples: Acceptable use policies, security policies, guidelines, procedures, and
standards.

Security Controls: Types, Section 1.1

Answer 10

Directive