Security Controls Flashcards
What is in the Technical Control Category?
The technologies, hardware, and software mechanisms that are implemented to manage and reduce risks. Antivirus, firewalls, encryption processes, IDS. Any tool that can automatically protect your system integrity, confidentiality, or availability.
What is in the Managerial Controls (Administrative Controls) Category?
Involve the strategic planning and governance side of security. Ensure that the organization’s security strategies align with its business goals and its risk tolerance. Security Policies, Training programs, and incident response strategies.
What is in the Operational Controls Category?
Procedures and measures designed to protect data on a day-to-day basis are mainly governed by internal processes and human action. Password changes every 90 days, backup procedures, account reviews, and user training programs.
What is in the Physical Controls Category?
Tangible, real-world measures are taken to protect assets and exist outside of the digital world: surveillance cameras, biometrics, reinforced doors, and fences.
What are Preventative Controls?
Proactive measures are implemented to thwart potential security threats or breaches. firewalls
What are Deterrent Controls?
Aim to discourage potential attackers by making the effort seem less appealing or more challenging. Signs or warning banners
What are Detective Controls?
Monitor and alert organizations to malicious activity as it occurs or shortly thereafter. Cameras, IDs
What are Corrective Controls?
Mitigate any potential damage and restore the systems to their normal state.
What are Compensating Controls?
Alternative measures that are implemented when the primary security controls are not feasible or effective. Legacy computer doesn’t support WPA3 so you use WPA2 and VPN on top of that.
What are Directive Controls?
It is often rooted in policy or documentation and sets the standards for behaviour within an organization. Acceptable Use Policy (AUP) provides guidelines on how employees can use company-owned assets.
What is a GAP Analysis?
Process of evaluating the differences between an organization’s current performance and its desired performance. Identify where improvement can be made to bridge the gap between current and desired states.
What are the steps in a GAP Analysis?
- Define the Scope
- Gather data on the current state
- Analyze the data to identify gaps
- Develop a plan to bridge the gap