Security Controls Flashcards
1
Q
What are security controls?
A
- measures and safeguards implemented to protect information assets and mitigate security risks
- help organizations enforce security policies, manage vulnerabilities, and safeguard their systems and data
2
Q
What is the difference between safeguards and countermeasures?
A
- safeguards are proactive
- countermeasures are reactive
3
Q
What are the 3 different types of controls?
A
- Administrative Controls
- Technical Controls
- Physical Controls
4
Q
Describe Administrative Controls
A
- include policies, procedures, guidelines, and security awareness training that govern the organization’s security posture
- examples include acceptable use, password management, data classification, incident response, and employee onboarding/offboarding procedures
5
Q
Describe Technical Controls
A
- involve the implementation of hardware, software, and technologies to protect information systems
- examples: firewalls, encryption mechanisms, access control mechanisms, antivirus software, secure configurations, and network segmentation
6
Q
Describe Physical Controls
A
- encompass measures to protect physical assets and the physical environment in which information systems operate
- examples: physical access controls, video surveillance, secure facilities, environmental controls (such as temperature and humidity regulation), and secure disposal of sensitive materials
7
Q
What are security controls often based on?
A
- control objectives and frameworks that provide a structured approach to security implementation
8
Q
What are examples of security control frameworks?
A
- NIST SP 800-53
- ISO/IEC 27001
- CIS Controls
9
Q
Which NIST publication covers the assessment of security and privacy controls?
A
NIST SP 800-53
10
Q
What is required for ensuring effectiveness of the security controls?
A
- regular control assessments and audits
- ongoing monitoring, maintenance, and update
11
Q
What are the 6 security control types?
Name them in order.
A
- Deterrent
- Preventative
- Detective
- Compensating
- Corrective
- Recovery
12
Q
Describe Deterrent security control type
Name an example
A
- intended to discourage potential attackers or unauthorized individuals from attempting to exploit vulnerabilities or engage in malicious activities
- prominent signage indicating the presence of video surveillance, security guards patrolling premises, visible locks or barriers
13
Q
Describe Preventative security control type
Name an example
A
- deployed to stop or thwart unwanted or unauthorized activity from occurring
- access control mechanisms (e.g., strong authentication, user permissions), firewalls, IPS, encryption, secure coding practices
14
Q
Describe Detective security control type
Name an example
A
- put in place to identify or detect security incidents or unauthorized activities that have already occurred
- security monitoring systems, IDS, log analysis tools, security incident and event management (SIEM) systems, security audits, mandatory vacation or job rotation
15
Q
Describe Compensating security control type
Name an example
A
- alternative measures implemented to address the deficiencies or limitations of primary security controls
- provides options to other existing controls
- put in place when it is not feasible or practical to implement the originally planned controls or when existing controls are unable to fully meet the security requirements
- example:
- organization has a security policy that requires all employees to encrypt sensitive data when transmitting it over the network
- due to technical limitations in the existing infrastructure, the organization is unable to implement encryption on the network devices directly
- admins configure a VPN solution, that encrypts all network traffic between employee devices and the organization’s network
