Time
10 hours 32 minutes
Difficulty
Beginner
CEU/CPE
11

Video Transcription

00:00
Welcome to Cyber is video Siris on the company's security, plus 5 +01 certification and example. I'm your instructor, Ron Werner.
00:09
Please cease. I bury Dad. I t. For more information on this certification and many others
00:15
in section 5.7 of the risk management domain, you should be able to compare and contrast the various types of security controls.
00:24
Control is simply a defense or countermeasure put in place to manage risk
00:30
at a high level. Controls are classified as technical management or operational
00:36
controls. Conf er there be classified by their functional use or according to the time they are acted upon.
00:44
For example, functionality. They could be classified as a deterrent. Preventive detective or corrective controls
00:51
will also discuss how compensating controls are used to address security or compliance risks.
00:59
Before we dive into the types of controls.
01:02
Let's define what a control is its defense or countermeasure put in place to manage the risk.
01:07
Cyber Eri has their definition. Policy strategies, technologies, configuration settings, et cetera, established in collaboration with various areas of the business, help mitigate known risks.
01:19
Also be aware of I Sakas definition.
01:23
Keep these definitions that in mind as we roll through the different types of controls.
01:30
The first category of control is technical or logical, basically implemented through technology, it could be a deterrent preventive detective or compensating some examples of a technical control. Patching, Updating, automating the vulnerability management of your systems.
01:49
Ah, firewall intrusion detection system or protection system is another type of a technical control.
01:56
Lastly, access controls are all technical.
02:00
The second type of control he should be aware of is administrative or management.
02:05
These are documents, policies, procedures, guidelines, written descriptions of how to secure that infrastructure, how people should behave,
02:14
for example, an acceptable use policy or incident response plan.
02:20
Also dealing with people and personnel aspects of cybersecurity, say, within a security operation center or how you manage guards and surveillance.
02:31
Last aspect of that administrative and management component is security awareness training.
02:37
How are your training your personnel
02:39
all part of a management type of control,
02:43
The third category of controls our physical or operational?
02:46
This is to reduce the risk of harm coming to physical property, information, computer systems or other assets. Think about what you can actually touch
02:55
or feel.
02:58
For example, a hardened facility is a physical control
03:01
locks, badges. Other examples.
03:06
Think of your own examples for technical, administrative and physical controls.
03:10
Now that you understand the three broad categories controls, let's learn how they could be leveraged in what level of protection each provides
03:19
a deterrent. Control it the tours. It's discourages individuals from intentionally violating a security policy procedure or technology. Usually highly visible. Prevents offenses or abuses. Abuses by influencing choices.
03:38
You see some examples on the screen. Video surveillance A sign in and of itself is a deterrent. Control. Seeing the camera could be a deterrent. Control
03:49
dogs
03:50
Awesome returned control
03:52
actually known that dog barking keeps away many burglars.
03:58
Fences with barbed wire could also be a deterrent Control.
04:01
As you're thinking about these controls, you'll see there is some overlap between the areas.
04:06
Another type of control is preventive
04:09
to stop the unwanted event, whether it's breech fraud, outage errors, etcetera. Usually it's a proactive type of a measure. Its toe stop. Whatever could happen.
04:23
For example, access authentication authorization verification is preventive.
04:29
Were prevents someone maybe from accessing something logically or physically.
04:33
Separations of duties,
04:36
technical standards, network security so you can't access or certain people can access your network because of your firewall rules. Preventive
04:45
Internet filter People can't go out to certain sites on the Internet.
04:49
These are all good examples. Think of your own
04:53
detective controls.
04:55
These are warnings of anomalies or violations where you can
05:00
see what's happening. Detect what's happening could be automated
05:04
or manual. So an automated detective control could be like an intrusion detection system that sends an automated type of warning
05:13
camera, though it would be more of a manual system. You need someone to watch that camera and report when they see a problem.
05:21
Detective controls also tend to be more reactive, where preventive are more proactive
05:28
Examples you see on your screen cameras. Very
05:31
good example. Detective controlled motion sensors,
05:35
even auditing.
05:36
When you have an auditor come in, they'll detect a potential problem and report on it
05:42
once again. Think of your own examples for detective controls.
05:46
A corrective control measures toe lesson harmful effects or restore the system being impacted.
05:54
It's fixing something, correcting something,
05:57
and it's mostly a reactive type of a measure. So you see a problem. You see a door propped open so you shut it patching
06:04
Reactionary. You have a vulnerabilities for your patch it
06:08
hardening physical or logical corrective that you can see there's some overlap with some of the other types of controls.
06:15
The last control category I'd like to discuss with you is a compensating control these air alternative controls that are intended to reduce the risk of an existing or potential control weakness.
06:28
It's a mechanism, a process technology that satisfies required security measures. So it's doing something else. It's doing something different rather than the intended to control your
06:41
taking a different path.
06:43
The payment card industry data security standards has their requirements for compensating controls, which you can read on the screen.
06:49
These are good toe, understand for business and potentially, for the security plus exam
06:58
in section 5.7 we compared and contrasted some of the various types of controls.
07:04
Let's practice on a quiz question. Security cameras, motion sensors and audits are all a form of which type of security control
07:15
The Answer.
07:16
D detective, too reactionary type of control.
07:20
This concludes section 5.7 on various types of controls

Up Next

CompTIA Security+

CompTIA Security Plus certification is a great place to start learning IT or cybersecurity. Take advantage of Cybrary's free Security+ training.

Instructed By

Instructor Profile Image
Ron Woerner
CEO, President, Chief Consultant at RWX Security Solutions LLC
Instructor