Security Controls Overview

Questions and Answers

What type of controls could be best described as discouraging unauthorized access without necessarily preventing it?

• Directive controls
• Managerial controls
• Deterrent controls (correct)
• Physical controls

Which of the following is an example of a directive control implementation?

• Installing intrusion detection systems
• Employing security guards on the premises
• Using biometric scanners for access control
• Providing security awareness training to employees (correct)

Which type of control focuses on identifying suspicious activities and potential breaches?

• Deterrent controls
• Managerial controls
• Physical controls
• Detective controls (correct)

What is an example of a managerial control?

Establishing security policies and procedures (D)

Which of the following best describes physical controls in a security context?

Techniques to restrict access to physical locations (D)

Which category of security controls focuses on administrative and policy-based measures?

Managerial (C)

What is the primary purpose of preventative controls?

Reduce the likelihood of security incidents (C)

Which of the following is an example of a technical control?

Encryption (C)

What type of security control can be employed when a primary control is not feasible?

Compensating Controls (C)

Which category of controls is primarily concerned with the day-to-day management of security measures?

Operational (A)

What is the focus of detective controls?

Identifying security incidents after they occur (A)

Which of the following is NOT a responsibility of managerial controls?

User account management (C)

Which of the following examples is a physical control?

Surveillance cameras (D)

What do operational controls primarily ensure?

Implementation of security policies and procedures (C)

Which of the following technologies is NOT classified as a technical control?

Surveillance camera (A)

Flashcards

Deterrent Controls

Controls that try to stop attackers or unauthorized individuals from accessing systems or data, but don't necessarily prevent access.

Directive Controls

Controls that guide people on how to secure systems and data, based on rules and best practices.

Managerial Controls

Controls that involve managing security roles, ensuring compliance with regulations, and overseeing security practices.

Detective Controls

Controls that detect suspicious activities or potential security breaches.

Physical Controls

Controls that physically restrict access to locations and assets.

What is the purpose of security controls?

Security controls help protect the organization’s assets and data by acting as a defense-in-depth strategy.

What does the CIA triad stand for?

The CIA triad consists of Confidentiality, Integrity, and Availability, which are fundamental principles of security.

What are technical security controls?

Technical controls use tools and technologies to enhance security. Examples include firewalls, encryption, and access controls.

What are managerial security controls?

Managerial controls involve administrative and policy-based measures like creating security policies and risk assessments.

What are operational security controls?

Operational controls focus on day-to-day practices and procedures. Examples include account management, security monitoring, and backing up data.

What are physical security controls?

Physical controls focus on physical security measures. Examples include access control systems, surveillance cameras, and securing facilities.

What are preventative security controls?

Preventative controls aim to stop security incidents from occurring. Examples include firewalls, encryption, and strong authentication.

What are detective security controls?

Detective controls identify security incidents after they have occurred. Examples include log analysis, security audits, and intrusion detection systems.

What are corrective security controls?

Corrective controls respond to and fix security incidents. Examples include incident response plans, patch management, and data recovery procedures.

What are compensating security controls?

Compensating controls provide alternative security measures when primary controls are insufficient. Examples include implementing multiple layers of security or using alternative technologies.

Study Notes

Security Controls

• Security controls help protect the organization’s assets and data
• Controls act as a “defense-in-depth” approach
• Security controls help ensure CIA triad: Confidentiality, Integrity, and Availability

Categories of Security Controls

• There are four main categories of controls:
  • Technical: Tools and technologies like firewalls, encryption, and access controls
  • Managerial: Administrative and policy-based measures like creating security policies and risk assessments
  • Operational: Day-to-day practices and procedures, like user account management
  • Physical: Security measures for physical premises and assets, like access control systems and surveillance cameras

Hierarchy of Security Controls

• Security controls have a top-down hierarchy
  • Managerial controls set high-level policies and frameworks
  • Operational controls implement the policies and procedures defined by managerial controls
  • Technical controls are the actual implementation using tools and technologies
  • Physical controls support the other control categories

Managerial Controls

• Purpose: Guide and manage the organization's overall security program
• Responsibilities:
  • Setting security policies
  • Defining roles and responsibilities
  • Ensuring compliance with regulations and industry standards
• Examples:
  • Security policies and procedures
  • Risk assessments and risk management processes
  • Security awareness training for employees
  • Incident response and management plans
  • Security audits and assessments
  • Security governance and compliance frameworks

Operational Controls

• Purpose: Ensure effective implementation of security policies and technical controls
• Responsibilities:
  • Ongoing management and operations of security systems and processes
  • Supervising teams’ adherence to security policies
• Examples:
  • User account management and provisioning
  • Security monitoring and incident detection
  • Backup and recovery procedures
  • Change management processes
  • Physical access control to data centers or comm’s closets
  • Security log reviews and analysis
  • Patch management and system maintenance program

Technical Controls

• Purpose: Employ technologies and tools to protect systems and data
• Examples:
  • Data encryption (at rest and in transit)
  • Firewalls
  • Intrusion Detection and Prevention Systems (IDS/IPS)
  • Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR)
  • Data loss prevention (DLP)
  • Security Information and Event Management (SIEM)
  • Anti-virus (AV) software
  • Mobile device management (MDM)
  • Virtual Private Networks (VPN)
  • Log analysis
  • Incident response processes
  • Network segmentation and isolation
  • Firewall configurations
  • Biometric authentication systems
  • Security patches and software updates

Physical Controls

• Purpose: Protect the organization's physical premises and assets
• Examples:
  • Access control systems (biometric readers, scanners)
  • Surveillance cameras
  • Security guards
  • Fencing and barriers
  • Intrusion detection systems for physical facilities
  • Secure storage for documents and equipment
  • Shred policies
  • Data destruction policies and equipment
  • Environmental controls (fire suppression systems, climate control)

Control Types

Preventative Controls

• Purpose: Proactively reduce the likelihood of security incidents
• Examples:
  • Firewalls
  • Access control systems (ACLs)
  • Encryption
  • Strong authentication
  • Patching systems before an incident occurs

Detective Controls

• Purpose: Identify security incidents after they have occurred
• Examples:
  • Log analysis
  • Security audits
  • Intrusion detection systems (IDS)
  • Security Information and Event Management (SIEM)

Corrective Controls

• Purpose: Respond to and correct security incidents and breaches
• Examples:
  • Incident response plans
  • Patch management
  • Data recovery procedures
  • Backups

Compensating Controls

• Purpose: Provide alternative or additional security measures when primary controls are not feasible or insufficient
• Examples:
  • End-of-life or end-of-service systems
  • Implementing multiple layers of security to address vulnerabilities
  • Multi-factor authentication as a backup for forgotten usernames and passwords
  • Implementing a host-based firewall on a legacy server that cannot be upgraded

Deterrent Controls

• Deterrent controls discourage attackers and unauthorized individuals from breaching security, but don't necessarily prevent access.
• Examples include:
  • Warning signs
  • Security cameras
  • Intrusion detection systems

Directive Controls

• Directive controls provide guidance on security policies, procedures, and best practices.
• Examples include:
  • Security policies
  • Security awareness training
  • Security guidelines for employees