Welcome to Cyber is video Siris on the company's security, plus 5 +01 certification and example. I'm your instructor, Ron Werner.
Please cease. I bury Dad. I t. For more information on this certification and many others
in section 5.7 of the risk management domain, you should be able to compare and contrast the various types of security controls.
Control is simply a defense or countermeasure put in place to manage risk
at a high level. Controls are classified as technical management or operational
controls. Conf er there be classified by their functional use or according to the time they are acted upon.
For example, functionality. They could be classified as a deterrent. Preventive detective or corrective controls
will also discuss how compensating controls are used to address security or compliance risks.
Before we dive into the types of controls.
Let's define what a control is its defense or countermeasure put in place to manage the risk.
Cyber Eri has their definition. Policy strategies, technologies, configuration settings, et cetera, established in collaboration with various areas of the business, help mitigate known risks.
Also be aware of I Sakas definition.
Keep these definitions that in mind as we roll through the different types of controls.
The first category of control is technical or logical, basically implemented through technology, it could be a deterrent preventive detective or compensating some examples of a technical control. Patching, Updating, automating the vulnerability management of your systems.
Ah, firewall intrusion detection system or protection system is another type of a technical control.
Lastly, access controls are all technical.
The second type of control he should be aware of is administrative or management.
These are documents, policies, procedures, guidelines, written descriptions of how to secure that infrastructure, how people should behave,
for example, an acceptable use policy or incident response plan.
Also dealing with people and personnel aspects of cybersecurity, say, within a security operation center or how you manage guards and surveillance.
Last aspect of that administrative and management component is security awareness training.
How are your training your personnel
all part of a management type of control,
The third category of controls our physical or operational?
This is to reduce the risk of harm coming to physical property, information, computer systems or other assets. Think about what you can actually touch
For example, a hardened facility is a physical control
locks, badges. Other examples.
Think of your own examples for technical, administrative and physical controls.
Now that you understand the three broad categories controls, let's learn how they could be leveraged in what level of protection each provides
a deterrent. Control it the tours. It's discourages individuals from intentionally violating a security policy procedure or technology. Usually highly visible. Prevents offenses or abuses. Abuses by influencing choices.
You see some examples on the screen. Video surveillance A sign in and of itself is a deterrent. Control. Seeing the camera could be a deterrent. Control
Awesome returned control
actually known that dog barking keeps away many burglars.
Fences with barbed wire could also be a deterrent Control.
As you're thinking about these controls, you'll see there is some overlap between the areas.
Another type of control is preventive
to stop the unwanted event, whether it's breech fraud, outage errors, etcetera. Usually it's a proactive type of a measure. Its toe stop. Whatever could happen.
For example, access authentication authorization verification is preventive.
Were prevents someone maybe from accessing something logically or physically.
Separations of duties,
technical standards, network security so you can't access or certain people can access your network because of your firewall rules. Preventive
Internet filter People can't go out to certain sites on the Internet.
These are all good examples. Think of your own
These are warnings of anomalies or violations where you can
see what's happening. Detect what's happening could be automated
or manual. So an automated detective control could be like an intrusion detection system that sends an automated type of warning
camera, though it would be more of a manual system. You need someone to watch that camera and report when they see a problem.
Detective controls also tend to be more reactive, where preventive are more proactive
Examples you see on your screen cameras. Very
good example. Detective controlled motion sensors,
When you have an auditor come in, they'll detect a potential problem and report on it
once again. Think of your own examples for detective controls.
A corrective control measures toe lesson harmful effects or restore the system being impacted.
It's fixing something, correcting something,
and it's mostly a reactive type of a measure. So you see a problem. You see a door propped open so you shut it patching
Reactionary. You have a vulnerabilities for your patch it
hardening physical or logical corrective that you can see there's some overlap with some of the other types of controls.
The last control category I'd like to discuss with you is a compensating control these air alternative controls that are intended to reduce the risk of an existing or potential control weakness.
It's a mechanism, a process technology that satisfies required security measures. So it's doing something else. It's doing something different rather than the intended to control your
taking a different path.
The payment card industry data security standards has their requirements for compensating controls, which you can read on the screen.
These are good toe, understand for business and potentially, for the security plus exam
in section 5.7 we compared and contrasted some of the various types of controls.
Let's practice on a quiz question. Security cameras, motion sensors and audits are all a form of which type of security control
D detective, too reactionary type of control.
This concludes section 5.7 on various types of controls