CompTIA Security+ Study Notes
CompTIA Security+ Study Notes
Home
Buy Me A Coffee
Discord
Quizlet
About
Donors
CompTIA Security+
Acronyms
Common Ports
Domain 1 - Threats, Attacks, & Vulnerabilities
Domain 2 - Technologies & Tools
Domain 3 - Architecture & Design
Domain 4 - Identity & Access Management
Domain 5 - Risk Management
Personnel Policies
Business Impact Analysis
Risk Assessment
Incident Response
Forensics
Disaster Recovery & Business Continuity Plans
Controls
Data Privacy
Domain 6 - Cryptography & PKI
Powered by GitBook

Controls

Controls

  • A defense or countermeasure to put in place to manage risk.

  • Policies, strategies, technologies, configuration settings, etc. established in collaboration with various departments of an organization to help mitigate known risks.

  • The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be an administrative, technical, management, or legal nature.

Control Categories

  • Technical / Logical Controls

    • Implemented through technology.

    • May be deterrent, preventive, detective, or compensating.

    • Examples:

      • Patching

      • Firewalls, IDS/IPS

      • Access Controls

  • Administrative / Management Controls Purpose: to implement security policies based on procedures, standards, and guidelines.

  • Documents, policies, procedures, and guidelines.

    • Acceptable Use Policy

    • Incident Response Plan (IRP)

  • People/Personnel

    • Security Operations Center

    • Guards

    • Surveillance

  • Security Awareness Training

  • Physical / Operational Controls

    • Reduce the risk of harm coming to physical property, information, computer systems, or other assets.

    • Examples:

      • Hardened Facility

      • Locks

      • Badges

Control Types

  • Deterrent Controls

    • Intended to discourage individuals from intentionally violating security policies, procedures, or technologies.

    • Highly visible.

    • Prevent offenses or abuses by influencing choices.

  • Preventive Controls

    • Stop an unwanted event.

    • Proactive measures.

    • Examples:

      • Access, authentication, authorization, verification.

      • Separation of Duties

      • Technical Standards

      • Network Security - Firewalls, IPS

      • Internet Filtering

  • Detective Controls

    • Warning of anomalies or violations.

    • Automated or Manual

    • Reactive

    • Examples:

      • Cameras

      • Motion Sensors

      • Intrusion Detection System / SIEM

      • Audits

  • Corrective Controls

    • Measures to lessen harmful effects or restore the system being impacted.

    • Mostly reactive measures.

    • Examples:

      • Patching/Upgrades

      • Hardening (Physical / Logical)

      • Process Improvements

  • Compensating Control

    • Alternate controls that are intended to reduce the risk of an existing or potential control weakness.

    • Mechanism that satisfies a required security measure.

    • PCI DSS:

      • Meet the intent and rigor of the original stated requirement.

      • Provide a similar level of defense as the original requirement.

      • Be "above and beyond" other requirements.

      • Be commensurate with the additional risk imposed by not adhering to the requirement.

​

Previous
Disaster Recovery & Business Continuity Plans
Next
Data Privacy
Last updated 7 months ago
Contents
Controls
Control Categories
Control Types