Chapter 2 - Access Control Concepts Flashcards
Separation of Duties
The principle of separation of duties (which is sometimes known as segregation of duties) states that no single individual should have so many privileges that the individual is able to complete important technical or business functions on his or her
own.
When a single individual is able to perform some important business functions, there is a potential for fraud or abuse. These functions should be divided into individual tasks that should be performed by separate individuals or groups.
Least Privilege
“Least privilege,” also known as the “principle of least privilege” (PoLP), is a fundamental concept in information security and access control. It refers to the practice of granting individuals or systems the minimum level of access or permissions required to perform their tasks or job functions, and no more. In essence, least privilege restricts access to only what is necessary for users or processes to fulfill their roles and responsibilities, reducing the potential for security risks and limiting the impact of security breaches or mistakes.
Types of Controls
Information security controls are measures and safeguards put in place to protect an organisation’s information assets, systems, and resources from various threats and risks. These controls can be categorised into three primary types:
- Technical Controls
- Physical Controls
- Administrative Controls
Technical Controls
Technical controls are security measures that rely on technology to enforce security policies and protect information systems and data. These controls are typically implemented through software, hardware, or a combination of both.
Examples:
- Access Control Lists (ACLs)
- Firewalls
- Encryption
- Antivirus Software
- Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
- Patch Management
- Endpoint Security
Physical Controls
Physical controls are security measures that are designed to protect the physical assets of an organization, such as buildings, data centers, equipment, and personnel.
Examples:
- Access Control Systems
- Surveillance Cameras
- Security Guards
Security Fencing and Barriers
Environmental Controls:
Administrative Controls
Administrative controls are security measures that are established through policies, procedures, and guidelines. They involve the human element of security and govern how an organization’s security program is managed.
Examples:
- Security Policies and Procedures
- Security Awareness Training
- Incident Response Plans
- Access Control Policies
- Security Audits and Assessments
- Personnel Security
Categories of Controls
Categories of controls represent different approaches to managing and mitigating security risks.
- Detective Controls
- Deterrent Controls
- Preventive Controls
- Corrective Controls
- Recovery Controls
- Compensating Controls
Detective Controls
Detective controls are designed to identify and detect security incidents or deviations from security policies and practices. They are reactive in nature and help organisations recognise unauthorised activities or breaches after they have occurred.
Examples:
- Intrusion Detection Systems (IDS)
- Security Information and Event Management (SIEM)
- Log Analysis
- Security Audits and Reviews
Deterrent Controls
Deterrent controls discourage potential attackers or unauthorised individuals from attempting security breaches by establishing a visible deterrent presence. They aim to deter malicious activities before they occur.
Examples:
- Warning signs
- Access Control Fencing
- Security guards
Preventive Controls
Preventive controls are proactive measures put in place to prevent security incidents or vulnerabilities from occurring in the first place. They focus on reducing or eliminating potential security risks.
Examples:
- Firewalls
- Access Control
- Encryption
- Security Policies and Procedures
Corrective Controls
Corrective controls are enacted after a security incident or breach has occurred to minimise the impact and restore normal operations. They focus on correcting the damage and preventing similar incidents in the future.
Examples:
- Incident Response Plan
- Patch Management
- Data discovery
- Security Awareness training
Recovery Controls
Recovery controls are aimed at restoring an organisation’s operations and systems to normal functionality after a significant disruption or disaster, such as a cyberattack or natural disaster.
Examples:
- Disaster Recovery Plan
- Backup and Restore Procedures
- Alternate Processing Sites
Compensating Controls
Compensating controls are implemented when it is not feasible or practical to apply the primary control. They provide an alternative means of achieving the same security objective.
Examples:
- Mobile Device Management
- Network Segmentation
