Ch11 - 11.01 - Introducing Access Control

Question 1

Types of Controls

Answer 1

1. Administrative (management) control
2. Logical (technical) control
3. Physical control
4. Operational control

Question 2

Administrative (management) control

Answer 2

An administrative control, also known as a management control, is a written policy, procedure, or guideline. You create administrative controls first when designing your
security policy because they will dictate the other types of controls that need to be used. Examples of administrative controls are the password
policy, hiring policy, employee screening, mandatory vacations, and security awareness training.

Remember that administrative controls
are the security policies being defined, while a logical control (technical) is the implementation of a protection mechanism such as a firewall or antivirus software.

Question 3

Logical (technical) control

Answer 3

A logical control, also known as a technical control, is responsible for controlling access to a particular
resource. Examples of logical controls are firewalls, encryption, passwords, intrusion detection systems (IDSs), or any other mechanism that controls access to a resource. Another example is group policies,
which are technical controls that you use to implement the password policy (administrative control) defined by your organization.

User training is imperative for the administrative team that will be implementing the logical controls, such as firewalls and IDSs, because they need to thoroughly understand both the environment in which the
controls will be implemented and the actual technical controls. The training should cover not only the organization’s policies, but also how to properly configure each of these devices.

Question 4

Operational control

Answer 4

Operational controls are controls that are part of

day-to-day activities needed to keep operations going. A good example of an operational control is backups.

Question 5

Classes of Controls

Answer 5

1. Preventative
2. Corrective
3. Detective
4. Deterrent
5. Compensating

Question 6

Preventative Controls

Answer 6

A preventative control is used to prevent the security
incident from occurring. For example, using a cable lock on a laptop helps prevent the theft of the laptop—this can also be classified as a deterrent control because the visible presence of the lock deters a thief
from attempting to steal the laptop.

Question 7

Corrective Controls

Answer 7

A corrective control is used to correct a security incident and restore a system to its original state before the security incident occurred.

Question 8

Detective Controls

Answer 8

A detective control is used to detect that a security incident is occurring and will typically notify the security officer. For example, you could have a security alarm as a physical detective control or use an intrusion detection system as a technical detective control.

Question 9

Deterrent Controls

Answer 9

A deterrent control is a type of control that deters someone from performing an action, but does not necessarily stop them. An example of a deterrent control is a threat of discipline, or even termination of employment, if the security policy is not followed. A visible security camera is another example of a deterrent control—if someone knows they are on camera, they are less likely to perform actions that can get them in trouble.

Question 10

Compensating

Answer 10

A compensating control is a control that is designed to

compensate for the residual risk that may exist after a control has been put in place.

Question 11

False Positives/False Negatives

Answer 11

False positive
The test comes back as true (positive), but the test results are wrong (false), and the test should have been false. For example, antivirus software wrongly blocks a file, thinking it has a virus when it doesn’t. Or a spam filter wrongly flags a message as spam mail when it is not.

False negative
The test returns false (negative), but the results are wrong (false), and in reality it should have come back as true.

Question 12

Least Privilege

Answer 12

The concept of least privilege is to give the minimal permissions needed for users to perform their duties.

Question 13

Separation of Duties

Answer 13

Separation of duties means that you ensure that all critical tasks are broken down into different processes and that each process is performed by a different employee.

Question 14

Job Rotation

Answer 14

Your company should enforce mandatory vacations in order to detect fraudulent or suspicious activities within the organization by another employee taking over the job role while someone is on vacation. Mandatory vacations also keep employee morale high and keep the employee refreshed. Just as it is important to enforce mandatory vacations, you should also employ job rotation within the business. Job rotation ensures that different employees are performing different job roles on a regular basis. This will help detect fraudulent activities within the business as well.