real security controls Flashcards
(17 cards)
how many different security risks are out there
many different categories and types
what are the different assets are there
data
physical property
computer systems
purpose of security controls
minimize the impact & limit the damage
technical controls
controls implemented using systems
operating system controls
firewalls. antivirus
managerial controls
administrative controls associated with security design and implementation
security policies, SOPs
operational controls
controls implemented by ppl instead of systems
security guards, awareness programs
physical controls
limit physical access
guard shack
fence
lock
badge readers
what are the control categories
technical
managerial
physical
operational
what are the control types
preventive
deterrent
detective
corrective
compensating
directive
preventive
block access to source
you shall not pass
prevent access
- firewall rules - technical
- follow security policy - managerial
- guard checks all identification - operational
- enable door locks - physical
deterrent
discourage an intrusion attempt
does not directly prevent access
make an attacker think twice
- application splash screens = technical
- threat of demotion = managerial
- front reception desk = operation
- posted warning signs = physical
detective
identify and log an intrusion attempt
may not prevent access
find the issue
- collect and review system logs
- regularly patrol the property
- enable motion detectors
- review login reports
corrective
apply a control after an event has been detected
reverse the impact of an event
continue operating without minimal downtime
correct the problem
- restoring from backups can mitigate a ransomware infection
- create policies for reporting security issues
- contact law enforcement to manage criminal activity
- use a fire extinguisher
compensating
control using other means
existing controls aren’t sufficient
may be temporary
prevent the exploitation of a weakness
- firewall blocks a specific application instead of patching the app - technical
- implement a separation of duties - managerial
- require simultaneous guard duties - operational
- generator used after power outage - physical
directive
direct a subject towards security compliance
a relatively weak security control
do this, please
- store all sensitive files in a protected folder - technical
- create compliance policies and procedures - managerial
- train users on proper security policy - operational
- post a sign for “authorized personnel only” - physical
managing security controls
these are not inclusive lists
there are many categories of control
some organizations will combine types
there are multiple security controls for each category and type
- some security controls may exist in multiple types or categories
- new security controls are created as systems and processes evolve
- your organization may use very different controls
