December 15, 2022
CISSP Study Guide: Controls for Operational Security
December 15, 2022
Operational security is executed through various types of controls. These controls offer varying degrees of protection and fall into six broad categories:
- Preventive controls – designed to reduce damage and frequency of unintentional errors and to prevent unauthorized access to the system. Data validation mechanisms are examples of preventative operational security controls.
- Detective controls – used to detect errors once they have occurred. These controls go into effect after the incident, and can be used to trace an unauthorized transaction for prosecution, or to reduce adverse influence of an error on the system by catching it early. An audit trail is an example of a detective operational security control.
- Corrective or recovery controls – these are designed to alleviate consequences of a loss event through data recovery procedures. Redundant systems, RAID and tape backup are examples of corrective operational security controls.
- Deterrent or directive controls – employed to encourage compliance with external controls and impede violations. These controls are meant to enhance other types of controls. An administrative policy stating that those who place unauthorized modems on the network could be fired is an example of a deterrent operational security control.
- Application controls – mechanisms designed into a software application to reduce and trace software’s operational irregularities.
- Transaction controls – used to provide control over the various phases of a data transaction. Some common types of transaction controls include:
- Input controls are designed to ensure that transactions are properly implemented and are inputted only once into the system.
- Processing controls are designed to ensure that transactions are valid and accurate and that wrong entries are reprocessed correctly and immediately.
- Output controls are designed to safeguard the confidentiality of an output and verifies the integrity of an output by comparing the input transaction with the output data.
- Change controls are designed to protect data integrity in a system while adjustments are made to the configuration.
- Test controls are implemented during the testing of a system to prevent violations of confidentiality and to preserve a transaction’s integrity.
Let's build your cybersecurity career together
Accelerate in your role, prepare for certifications, and develop cutting edge skills with the most in-demand training in the industry.
2,000+learning activities led by highly experienced cybersecurity professionals