Physical Security Controls and Risk

Question 1

Preventive Controls

Answer 1

A device that prevents unauthorized entities from physically accessing sensitive materials.

ex. a door lock on a server room.

Question 2

Detective Controls

Answer 2

Where detection of intrusion is conducted and logged.

If there’s ever a breach in security, this breach must be detected and logged so that it may later be investigated.

Question 3

Deterrent Controls

Answer 3

Any sort of ‘warning’ put up with the intent of deterring possible security intrusions.

ex. a sign that says “beware of dog”, “private property”, “do not enter”, “under surveillance”, anything along those lines

Question 4

Recovery Controls

Answer 4

When an issue or breach has occurred and you’ve lost data as a consequence, Recovery Controls are what will allow you to restore that data.
You should have a separate location where you host your back-up files that you can use in order to reconstruct and resolve any issues that may’ve taken place at your primary location.

Hot and cold backups:

• hot backup, also known as dynamic or online backup, is a backup performed on data while the database is actively online and accessible to users. A hot backup is the standard way of doing most database backups.
• cold backup, also known as offline backup is a backup performed on data while the databases is not online and no users are logged in.

The advantage to performing a hot rather than cold backup is that the database remains available while data is being reconstructed.

Question 5

Compensating Controls

Answer 5

Compensating Controls compensate for other physical security controls in the case that they fail.

ex. if you’re responsible for a server center and there’s a power outage, you should have a power source that’s independent of the grid that’ll be able to compensate for that outage. (That independent power source would qualify as a Compensating Control).

Question 6

What are the three types of security controls ?

Answer 6

1. Physical Controls
   - like the name might imply, this is any measure put in place to deter physical attacks, or even natural disasters and that such.
   - ex. doors, walls, fences, flood prevention systems, underground server bunkers, all that sweet saucy stuff. Also includes signs and such (deterrent controls).
2. Technical Controls
   - involves a lot of software systems and some hardware
   - ex. intrusion detection systems, intrusion prevention systems, firewalls, 2 factor/3 factor/4 factor identifications.
3. Administrative Controls
   - Policies and procedures

Question 7

Risk Management

Answer 7

Risk: refers to the threat of damage or loss.

Depending on a system’s impact, the risk level can be:

• Exteme/High
• Medium
• Low

Risk level: Extreme/High >
Consequence: Serious danger >
Action: Measures should be immediately taken to reduce the risk

Risk level: Medium >
Consequence: Medium danger >
Action: Measures should be taken as soon as possible

Risk level: Low >
Consequence: Negligible danger >
Action: Preventive measures should be taken to mitigate the risk.

Always take the proper steps to mitigate your risks, even when the risks are basically negligible. This stuff builds up fast, and if you aren’t responsible about dealing w/ it, you’ll either create a lot of problems for yourself or a lot of work.