Chapter 1 - Compare and contrast various types of security controls Flashcards
(29 cards)
Control Objective
is a statement of desired results or purpose to be achieved by implementing a control or set of controls.
Purpose: Protect hosts from malware.
Set of controls: AV, Host firewall, URL filtering, etc.
Proportionality
is the Principle of balance: it is where you consider the costs of security, the security’s impact on usability and user experience, the security’s efficacy in furthering the mission, and any other competing factors, and combine these considerations to determine what and how much security will be the best fit.
Defense in depth
(also known as layered security) is the design and implementation of multiple overlapping layers of diverse controls.
Controls should not be subject to a cascade effect and should maintain independence.
Diversity of type of control and associated vendor should be considered.
Cost Benifit Analysis
Process of comparing esitmated costs and benifits to determine whether it makes sense to proceed form a business prospective.
Controls
Controls – tactics, mechanisms, or strategies that proactively minimize risk in one or more of the following ways.
Reduces or eliminates a vulnerability
Reduces or eliminates the likelihood that a threat actor will be able to exploit a vulnerability.
Reduces or eliminates the impact of an exploit.
Fine Tuning Controls - Scoping
Eliminating unnecessary baseline recommandations that are not applicable.
Fine Tuning Controls - Tailoring
Customizing baseline recommendations to align with organizational requirements.
Fine Tuning Controls - Compensating
Substituting a recommended baseline control with a similar control.
Fine Tuning Controls - Supplementing
Augmenting (adding to) the baseline recommendations.
Control Baseline
express minimum standards for a given environment.
Countermeasures
controls implemented to address a specific threat.
Countermeasures are generally reactive
Countermeasures may be more effective but less broadly efficient.
Exploit
when a threat actor successfully takes advantage of a vulnerability.
Assurance
Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy
Effectiveness
he measure of correctness of implementation (i.e., how consistently the control implementation complies with the security plan) and how well the security plan meets organizational needs in accordance with current risk tolerance.
Statement of desired result to be achieved by implementing a control?
Control objective
Term used to describe multiple layers of diverse controls?
Defense-in-Depth
Set of minimum controls for a given environment?
Control Baseline
Process of eliminating unnecessary baseline recommendations?
Scoping
Control implemented to address a specific threat?
Countermeasure
Control Category - Technical
Mechanisms are implemented using hardware, software, and/or firmware components. Can be native or supplemental.
Examples: firewalls, cryptography, authentication systems.
Control Category - Managerial
Relates to risk management, governance, oversight, strategic alignment and derision making.
Examples: risk assessments, project management
Control Category - Operational
Aligned with a process that are primarily implemented and executed by people.
Examples: change management, training, testing
Control Category - Physical
Designed to address physical interactions. Generally related to buildings and equipment.
Examples: Gates, barricades, locks
Control Classification - Deterrent
Discourage a threat agent from acting
