Primary Controls (Types)
Primary controls are essential in risk management to mitigate security threats and vulnerabilities. The control cost should be less than the value of the asset being protected.
1. Administrative/Managerial Controls
- Preventive: Measures taken to avoid security incidents.
- Examples: Hiring policies, screening, security awareness training (also known as soft measures).
- Detective: Measures taken to identify and detect security breaches.
- Examples: Screening behavior, job rotation, review of audit records.
2. Technical (Logical) Controls
- Preventive: Measures that help prevent unauthorized access and incidents.
- Examples: Protocols, encryption, biometrics, smart cards, routers, firewalls.
- Detective: Measures that help detect and signal unauthorized activities.
- Examples: Intrusion Detection Systems (IDS), automatic generated violation reports, audit logs, CCTV (never preventive).
3. Physical Controls
- Preventive: Measures that physically prevent access to facilities and assets.
- Examples: Fences, guards, locks.
- Detective: Measures that detect unauthorized physical access.
- Examples: Motion detectors, thermal detectors, video cameras.
Prime Objective
The primary objective of these controls is to reduce the effects of security threats and vulnerabilities to a tolerable level.
Risk Analysis
Risk analysis is the process that analyzes threat scenarios and produces a representation of the estimated potential loss.
Main Categories of Access Control
1. Directive Controls
- Definition: Specify rules of behavior.
- Example: Policies and procedures.
2. Deterrent Controls
- Definition: Discourage people from performing unauthorized activities.
- Example: Warning signs, login banners.
3. Preventative Controls
- Definition: Prevent incidents or breaches from occurring.
- Example: Firewalls, encryption, access controls.
4. Compensating Controls
- Definition: Substitute for the loss or absence of primary controls.
- Example: Backup systems, alternative authentication mechanisms.
5. Detective Controls
- Definition: Signal warnings or alert to the presence of a security breach.
- Example: IDS, audit trails, security cameras.
6. Corrective Controls
- Definition: Mitigate damage and restore control after an incident.
- Example: Antivirus solutions, patch management.
7. Recovery Controls
- Definition: Restore systems and operations to normal after an incident.
- Example: Disaster recovery plans, backups.
Control | Accuracy | Security | Consistency |
---|---|---|---|
Preventive | Data checks, validity checks | Labels, traffic padding, encryption | DBMS, data dictionary |
Detective | Cyclic Redundancy | IDS, audit trails | Comparison tools |
Corrective | Checkpoint, backups | Emergency response | Database controls |
Key Points:
- Preventive Controls: These are designed to prevent security incidents by ensuring data accuracy, applying security measures like encryption, and maintaining consistency in data through tools like DBMS.
- Detective Controls: These focus on detecting incidents when they occur, using tools like IDS and audit trails to monitor and detect anomalies.
- Corrective Controls: These are used to correct or mitigate damage after an incident has occurred, with checkpoints and backups for accuracy, emergency response for security, and database controls for maintaining consistency.
This breakdown aligns with the CISSP concepts of implementing layered security through various types of controls.