Page 30 - PowerPoint Presentation
P. 30

Types of Controls

                       The term access control refers to a broad range of controls that perform such tasks as
               ensuring that only authorized users can log on and preventing unauthorized users from gaining
               access to resources.

                   •  Deterrent - A deterrent access control is deployed to discourage violation of security
                       policies.
                   •  Preventive - A preventive access control is deployed to thwart or stop unwanted or
                       unauthorized activity from occurring.
                   •  Detective - A detective access control is deployed to discover or detect unwanted or
                       unauthorized activity.
                   •  Compensating  -  A  compensation  access  control  is  deployed  to  provide  various
                       options to other existing controls to aid in enforcement and support of security policies.
                       They can be any controls used in addition to, or in place of, another control.
                   •  Corrective - A corrective access control modifies the environment to return systems
                       to normal after an unwanted or unauthorized activity has occurred. The access control
                       is deployed to repair or restore resources, functions, and capabilities after a violation
                       of security policies.
                   •  Recovery - Recovery controls are an extension of corrective controls but have more
                       advanced or complex abilities.
                   •  Directive -  A  directive access control  is  deployed  to  direct,  confine,  or  control the
                       actions of subjects to force or encou rage compliance with security policies.


               Monitoring and Measurement
                       Security controls should provide benefits that can be monitored and measured. Often
               to  obtain  countermeasure  success  or  failure  measurements,  monitoring  and  recording  of
               events both prior to and after safeguard installation is necessary.

               Asset Valuation

                       The  goal  of  asset  valuation  is  to  assign  to  an  asset  a  specific  dollar  value  that
               encompasses tangible costs as well as intangible ones.

               Continuous Improvement

                       The  risk  analysis/risk  assessment  is  a  “point  in  time”  metric.  If  a  continuous
               improvement path is not provided by a selected countermeasure, then it should be replaced
               with one that offers scalable improvements to security.

               Risk Frameworks

                       A risk framework is a guideline or recipe for how risk is to be assessed, resolved, and
               monitored. The primary example of a risk framework referenced by the CISSP exam is that
               defined  by  NIST  in  Special  Publication  800-37.  Other  frameworks  to  consider  are
               Operationally  Critical  Threat,  Asset,  and  Vulnerability  Evaluation  (OCTAVE),  Factor
               Analysis of Information Risk (FAIR), and Threat Agent Risk Assessment (TARA).

               Establish and Manage Information Security Education, Training, and Awareness To develop
               and  manage  security  education, training,  and  awareness,  all  relevant  items  of  knowledge
               transference must be clearly identified, and programs of presentation, exposure, synergy, and
               implementation crafted. A prerequisite to security training is awareness.

               ITEC106 – Systems Security                                       Mr. John Mark L. Dula
   25   26   27   28   29   30   31   32   33   34   35