Security Controls - CompTIA Security+ SY0-701 - 1.1

Security Controls

• Security risks are out there

- Many different types to consider

• Assets are also varied

- Data, physical property, computer systems

• Prevent security events, minimize the impact, and limit the damage

- Security controls

Technical Controls

- Controls implemented using systems

- Operating system controls

- Firewalls, anti-virus

Managerial Control

- Administrative controls associated with security design and implementation

- Security policies, standard operating procedures

Operational Controls

- Controls implemented by people instead of technical systems.

- Security guards, awareness programs

Physical Controls

Limits physical access

- Guard shack

- Fences, locks

- Badge readers

Preventive Controls

Block access to resource

Technical Preventative Control example

Firewall rule, antivirus

Managerial Preventative Control example

Security Policy, On-boarding policy

Operational Preventative control example

Guard shack

Physical Preventative control example

Door Lock, badge reader

Deterrent Controls

- Discourages an intrusion attempt

- Doesn't directly prevent access

Technical Deterrent Control example

Application Splash screen

Managerial Deterrent Control example

Threat of demotion, sanctions, punishments

Operational Deterrent Control example

Front Desk receptionist

Physical Deterrent Control example

Posted warning signs

Detective Controls

- Identify and log an intrusion attempt

- May not prevent access

Technical Detective Control

Collecting and review system logs

Managerial Detective Control example

Review login reports

Operational Detective Control example

Property Patrols

Physical Detective Control example

Enabling motion detection, using window sensors

Corrective Controls

- Applying a control after an event has been detected

- Reverse the impact of an event

- Continue operating with minimal downtime

Technical Corrective Control example

Restoring from backups can mitigate ransomware infection

Managerial Corrective Control example

Creating policies for reporting security issues

Operational Corrective control example

Law enforcement

Physical Corrective Controls example

Fire extinguisher

Compensating Controls

- Control procedures that compensate for the deficiency in other controls

- May be temporary

Technical Compensating Controls examples

Block instead of patch

Managerial Compensating Controls examples

Separation of duties

Operational Compensating Controls examples

Simultaneous security staff

Physical Compensating Controls examples

Power generator

Directive Controls

- Direct a subject towards security compliance

- A relatively weak security control

Technical Directive Controls examples

File storage policies

Managerial Directive Controls examples

Compliance policies

Operational Directive Controls examples

Security policy training

Physical Directive Controls examples

Sign: Authorized personnel Only

Managing security controls

- Their are many categories of control which organizations will use in multiple types

- Security controls change as systems and processes evolve