2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	91/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 87 88 89 90 91 92 93 94 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Administrative
Applicable Types of Controls

79
Technical
Technical or logical controls
involve the hardware or software mechanisms used to man-
age access and to provide protection for resources and systems. As the name implies, it uses
technology. Examples of logical or technical controls include authentication methods (such as
usernames, passwords, smartcards, and biometrics), encryption, constrained interfaces, access
control lists, protocols, firewalls, routers, intrusion detection systems (IDSs), and clipping levels.
Administrative
Administrative controls
are the policies and procedures defined by an organization’s secu-
rity policy and other regulations or requirements. They are sometimes referred to as man-
agement controls. These controls focus on personnel and business practices. Examples of
administrative controls include policies, procedures, hiring practices, background checks,
data classifications and labeling, security awareness and training efforts, vacation history,
reports and reviews, work supervision, personnel controls, and testing.
Physical
Physical controls
are items you can physically touch. They include physical mechanisms
deployed to prevent, monitor, or detect direct contact with systems or areas within a facil-
ity. Examples of physical controls include guards, fences, motion detectors, locked doors,
sealed windows, lights, cable protection, laptop locks, badges, swipe cards, guard dogs,
video cameras, mantraps, and alarms.
Applicable Types of Controls
The term
security control
refers to a broad range of controls that perform such tasks as
ensuring that only authorized users can log on and preventing unauthorized users from
gaining access to resources.
Controls
mitigate a wide variety of information security risks.
Whenever possible, you want to prevent any type of security problem or incident. Of
course, this isn’t always possible, and unwanted events occur. When they do, you want to
detect the events as soon as possible. And once you detect an event, you want to correct it.
As you read the control descriptions, notice that some are listed as examples of more
than one access-control type. For example, a fence (or perimeter-defining device) placed
around a building can be a preventive control (physically barring someone from gaining
access to a building compound) and/or a deterrent control (discouraging someone from try-
ing to gain access).
Deterrent
A
deterrent
control
is deployed to discourage violation of security policies. Deterrent and
preventive controls are similar, but deterrent controls often depend on individuals deciding
not to take an unwanted action. In contrast, a preventive control actually blocks the action.
Some examples include policies, security-awareness training, locks, fences, security badges,
guards, mantraps, and security cameras.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 87 88 89 90 91 92 93 94 ... 881