CISM: Controls

From Glitchdata
Jump to navigation Jump to search
  • Consider the Confidentiality, Integrity, and Availability CIA Triad when developing controls policy.
  • Security control should not exceed the business value of the asset.
  • Control strength is achieved by proper design.
  • CISM: Control Frameworks
  • CISM: Control Categories
    • Controls fall into 4 categories:
      • Preventative
      • Deterrent
      • Detective
      • Corrective
  • Controls focus on People, Process and Technology.


Preventative Controls

Preventive controls inhibit attempts to violate security policies.

  • Preventative
    • Preventing security issues and violations through strategies such as policies and security awareness training
    • Reducing exposure support prevention
    • Preventive controls must fail in either open or close state (i.e. fail-safe or fail-secure)
      • Failing-open favours availability
      • Failing-closed favours confidentiality
  • Preventive controls exist at both general and application levels.
  • Preventive - An Access control system inhibits attempts to compromise a system
  • Preventive - Role-based access is a preventative control that provides access according toe business needs. It reduces unnecessary access rights, and enforces accountability.
  • Preventive - Firewall
  • Preventive - Nonrepudiation is a control technique that addresses the integrity of information by ensuring that the originator of a message or transaction cannot repudiate (deny or reject) the message, so the message or transaction can be considered authorized, authentic and valid.
  • Preventive - Segregation of Duties
  • Preventive - Segmenting a highly sensitive database
  • Preventive - Social awareness programs can best be mitigated through periodic security awareness training.
  • Preventive - Increase frequency of password rotation
  • Preventive - One Time Password (OTP)
  • Preventive - Avoid granting system admin roles to contract personnel
  • Preventive - Implementing appropriate access controls.
    • Mandatory, Discretionary, Walled Garden, Role-based.
  • Preventive - Steganographic Techniques
  • Preventive - Table Lookups
    • These are preventive controls; input data are checked against predefined tables, which prevent any undefined data to be entered.
  • Preventive - Having a manager approve transactions more than a certain amount is considered a preventive control.
  • Preventive - Filtering network traffic is a preventive control.

Deterrent Controls

  • Deterrent - A warning banner which provides a warning that can deter potential compromise.
  • Deterrent
    • Discouraging malicious activities using access controls or technologies such as firewalls, intrusion detection systems and motion-activated cameras
  • Deterrent - Defence-in-depth focuses on external threats and control layering.
  • Deterrent - An acceptable use policy establishes an agreement between users and the enterprise and defines for all parties the ranges of use that are approved before gaining access.
  • Deterrent - Load balancing is not as effective in mitigating most network DoS attacks. Packet Filtering is better.
  • Deterrent - Packet filtering techniques are the only ones which reduce network congestion caused by a network denial-of-service (DoS) attack

Detective Controls

  • Detective Controls are focused on uncovering un-authorized activity in your environment
  • Detective controls exist at both general and application levels.
  • Detective - SIEM
  • Detective - Audit trail monitoring is a detective control.
  • Detection - An alarm system
  • Detective - Virus Detection is an effective tool that primarily focuses on malicious code from external sources.
  • Detective - Implementing monitoring techniques help detect and deal with potential fraud cases.
  • Detective - Implement Intrusion Detection System
  • Detective - Honeypots
  • Detective - Steganography
  • Detective - Log Generation + Review
    • Generation of an activity log alone is not a detective control because it does not help in detecting inappropriate
  • Detective - Examining inbound network traffic for viruses is a detective control.
  • Detective - Logging inbound network traffic is a detective control.

Corrective Controls

Corrective controls are designed to correct errors, omissions and unauthorized uses and intrusions, when they are detected. This provides a mechanism to detect when malicious events have happened and correct the situation.

  • Corrective controls exist at both general and application levels.
  • Corrective - Getting your environment back to where it was prior to a security incident
  • Corrective - Reduce the attach surface limits the extent of exposure.
  • Corrective - Patch Management involves the correction of software weaknesses and would necessarily follow change management procedures.
    • Limiting entry points, ports, protocols and taking other precautions reduces exposure.
  • Corrective - Contingency planning ensures that the system and data are available in the event of a problem.
  • Corrective - A centralized antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network.
  • Corrective - Corrective controls, such as backups and failover capabilities, are intended to offset the impact caused by successful attacks directed against information systems.
  • Corrective - Diverting incoming traffic helps correct the situation and, therefore, is a corrective control.

Related