Security Controls

Security Controls
Security Controls
Measures put in place, as well as roles and responsibilities clearly assigned to individuals and groups, such that assets, information, and the organization as a whole are both well defined and protected.
List the three basic security controls used to develop a security policy:
Management Controls or Administrative Controls
Security controls that include the policies, procedures around the definition of access controls, definitions of information classifications, roles and responsibilities, and anything needed to manage access control from the administrative point of view.
Administrative controls include the following subcategories:
Operational and security policies and procedures:
Change control, vulnerability management, information classification, and product lifecycle management policies.
Personnel or employee security policies:
Controls that must be in place before access is granted to a resource.
Security education and training:
End-user training and education.
Auditing and monitoring policies:
How to perform employee monitoring, and system and compliance auditing
Physical Controls
A type of security control aimed at protecting the physical boundaries and ensuring employee safety, usually deployed in layers in accordance with the concept of defense in depth.
Examples include the fence at the entrance of the building, fire alarms, surveillance systems, and security guards.
Physical access controls are usually designed by defining security zones and implementing different kinds of protection, depending on the classification of the assets.
Technical Controls or Logical Controls
A type of security control consisting of all the logical and technological systems in place to implement and enforce the controls included in the security policy and, in general, dictated by the administrative controls.
A firewall, an intrusion detection system, a remote access server, an identity management system, and encryption are all examples of technical controls.
List the additional security controls put into effect before, during, and after a potential security event:
Preventive Controls
Security controls that enforce security policy and should prevent incidents from happening.
The only way to bypass a preventive control is to find a flaw in its implementation or logic.
Examples of preventive controls are access lists, passwords, and fences.
Detective Controls
Security controls that aim to monitor and detect any unauthorized behavior or hazard.
These types of controls are generally used to alert a failure in other types of controls such as preventive, deterrent, and compensating controls.
Detective controls are very powerful while an attack is taking place, and they are useful in the post-mortem analysis to understand what has happened.
Audit logs, intrusion detection systems, motion detection, and Security Information and Event Management are examples of detective controls.
Corrective Controls
Security controls used during an incident to correct the problem.
Quarantining an infected computer, sending a guard to block an intruder, and terminating an employee for not having followed the security policy are all examples of corrective controls.
Explain the term Compensating Controls, and its inherent weakness:
Also known as alternative controls
Mechanisms put in place to satisfy security requirements that are either impractical or too difficult to implement
Compensating controls do not give the same level of security as their replaced counterparts.
77