Control Categories

From Glitchdata
Jump to navigation Jump to search

CISM: Controls fall into 4 categories:

  • Preventative Controls
    • Preventing security issues and violations through strategies such as policies and security awareness training
    • Reducing exposure support prevention
    • Preventive controls must fail in either open or close state (i.e. faile safe or fail secure)
      • Failing-open favours availability
      • Failing-closed favours confidentiality
    • Training developer is a preventive control.
  • Deterrent Controls
    • Discouraging malicious activities using access controls or technologies such as firewalls, intrusion detection systems and motion-activated cameras
  • Detective Controls
    • Uncovering un-authorized activity in your environment
    • Generation of an activity log is not a control by itself. It is the review of such a log that makes the activity a control (i.e., generation plus review equals control).
  • Corrective Controls
    • Getting your environment back to where it was prior to a security incident
    • Corrective controls, such as backups and failover capabilities, are intended to offset the impact caused by successful attacks directed against information systems.
  • Directive Controls
    • A directive control is a manual control that typically consists of a policy or procedure that specifies what actions are to be performed. In this case, there is an automated control that prevents an event from occurring.
  • Compensating Controls

Other Controls