Which type of controls restore the system after a disaster or an event preventive controls detective controls corrective controls?
Test your knowledge of the CISSP exam’s Domain 1: Security and Risk Management -- one of the heaviest-weighted portions of the test -- with this practice quiz. Show
The following quiz is excerpted from the CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition, ©2015 John Wiley & Sons, All Rights Reserved. For IT professionals whose background may be more focused on hardware and software, the world of cybersecurity, risk management and compliance can be new, and sometimes challenging, territory. As opposed to the muscle-memory tasks like firewall configuration or patch deployment, the skills needed to navigate the shifting, strategic concepts of risk and compliance uses a different part of your brain. But these areas are critical for building a security program in any organization, from small businesses to global enterprises. The importance of these disciplines is not lost on the (ISC)2, which administers the Certified Information Systems Security Professional (CISSP) exam. Domain 1 of the certification exam, Security and Risk Management, is one of the most heavily weighted sections of the test. It accounts for 16% of the final score -- the largest amount assigned to the exam’s eight domains. Only other section of the test, Domain 7: Security Operations, shares the same weight. At a high level, Domain 1 covers cybersecurity, risk management, compliance, law, regulations and business continuity. According to (ISC)2, more specific concepts tested in Domain 1 include:
Planning to take the CISSP exam and obtain certification? Test your knowledge of Domain 1 with this practice quiz, comprising five multiple-choice questions and 10 true/false questions on key concepts, vocabulary and principles of cybersecurity, risk management, compliance and more. CISSP® is a registered mark of (ISC)². This was last published in July 2017 Dig Deeper on Careers and certifications
F5 Labs education articles help you understand basic threat-related security topics. At the most fundamental level, IT security is about protecting things that are of value to an organization. That generally includes people, property, and data—in other words, the organization’s assets. Security controls exist to reduce or mitigate the risk to those assets. They include any type of policy, procedure, technique, method, solution, plan, action, or device designed to help accomplish that goal. Recognizable examples include firewalls, surveillance systems, and antivirus software. Control Objectives First…Security controls are not chosen or implemented arbitrarily. They typically flow out of an organization’s risk management process, which begins with defining the overall IT security strategy, then goals. This is followed by defining specific control objectives—statements about how the organization plans to effectively manage risk. For example, “Our controls provide reasonable assurance that physical and logical access to databases and data records is restricted to authorized users” is a control objective. “Our controls provide reasonable assurance that critical systems and infrastructure are available and fully functional as scheduled” is another example. …Then Security ControlsOnce an organization defines control objectives, it can assess the risk to individual assets and then choose the most appropriate security controls to put in place. One of the easiest and most straightforward models for classifying controls is by type: physical, technical, or administrative, and by function: preventative, detective, and corrective. Control TypesPhysical controls describe anything tangible that’s used to prevent or detect unauthorized access to physical areas, systems, or assets. This includes things like fences, gates, guards, security badges and access cards, biometric access controls, security lighting, CCTVs, surveillance cameras, motion sensors, fire suppression, as well as environmental controls like HVAC and humidity controls. Technical controls (also known as logical controls) include hardware or software mechanisms used to protect assets. Some common examples are authentication solutions, firewalls, antivirus software, intrusion detection systems (IDSs), intrusion protection systems (IPSs), constrained interfaces, as well as access control lists (ACLs) and encryption measures. Administrative controls refer to policies, procedures, or guidelines that define personnel or business practices in accordance with the organization's security goals. These can apply to employee hiring and termination, equipment and Internet usage, physical access to facilities, separation of duties, data classification, and auditing. Security awareness training for employees also falls under the umbrella of administrative controls. Control FunctionsPreventative controls describe any security measure that’s designed to stop unwanted or unauthorized activity from occurring. Examples include physical controls such as fences, locks, and alarm systems; technical controls such as antivirus software, firewalls, and IPSs; and administrative controls like separation of duties, data classification, and auditing. Detective controls describe any security measure taken or solution that’s implemented to detect and alert to unwanted or unauthorized activity in progress or after it has occurred. Physical examples include alarms or notifications from physical sensor (door alarms, fire alarms) that alert guards, police, or system administrators. Honeypots and IDSs are examples of technical detective controls. Corrective controls include any measures taken to repair damage or restore resources and capabilities to their prior state following an unauthorized or unwanted activity. Examples of technical corrective controls include patching a system, quarantining a virus, terminating a process, or rebooting a system. Putting an incident response plan into action is an example of an administrative corrective control. The table below shows how just a few of the examples mentioned above would be classified by control type and control function.
F5 Labs Security Controls GuidanceTo provide threat intelligence that’s actionable, F5 Labs threat-related content, where applicable, concludes with recommended security controls as shown in the following example. These are written in the form of action statements and are labeled with control type and control function icons. They’re meant to be a quick, at-a-glance reference for mitigation strategies discussed in more detail in each article. Security practitioners implement a combination of security controls based on stated control objectives tailored to the organization’s needs and regulatory requirements. Ultimately, the goal of both control objectives and controls is to uphold the three foundational principles of security: confidentiality, integrity, and availability, also known as the CIA Triad. To learn more about foundational security concepts, read What is the Principle of Least Privilege and Why Is It Important? Which type of controls restore the system after a disaster or an event?Corrective measures – Controls aimed at correcting or restoring the system after a disaster or an event.
What is preventive and detective control?Detective controls are designed to detect errors or irregularities that may have occurred. Corrective controls are designed to correct errors or irregularities that have been detected. Preventive controls, on the other hand, are designed to keep errors and irregularities from occurring in the first place.
What are preventative controls?Preventative controls: Designed to keep errors or irregularities from occurring in the first place. They are built into internal control systems and require a major effort in the initial design and implementation stages.
What are the 4 types of security controls?One of the easiest and most straightforward models for classifying controls is by type: physical, technical, or administrative, and by function: preventative, detective, and corrective.
|
