Tuesday, March 11, 2014

CISSP Preparation - Access Controls


I am working with Access Control issues since the first security audit I participated, more than 10 years ago, but I must admit that I never approached to the issue the way it is demonstrated in CISSP. The structural approach for makes the understanding of different types of Access Control methods but it also brings some level of confusion.

Let's remember how ISC2 categorizes Access Control methods by type. Access Control activities fall into one of Administrative, Technical and Physical types, which is crystal clear, no confusion so far. Other than these types there are categories which are Preventive, Deterrent, Detective, Corrective, Recovery and Compensating. That's where things start to get complicated.

For CISSP Preparation purposes, it is advised to think about the context in which the access control element employed. To be clearer, let's think about Firewalls. As we all agree, Firewalls are preventive control elements, point. But some people also think that (they are completely right to think that way, by the way) intruders who try to attack a company will discover the presence of a firewall and stop attacking, so it can also be considered as a deterrent control. But for exam purposes, it has to fall in only one of the categories and that will be Preventive. So far, so good.

Compensating controls can be considered a part from the other 5. Compensating controls, as the name implies, replace another control because of a convenience (it is mostly financial). Your company may choose, instead of building a highly secure room to store sensitive information for $300,000 to employ a security guard who in the end costs just $60,000 (numbers are just given for the example, really do not how much security guards are paid :)). This is a good example for compensating controls. I am sure you have seen many others around you.

From the 5 that are left, corrective and recovery controls can be mixed by many (including me!) They explain the way controls work as such: Prevent people from accessing to the information they are not authorized, if you fail then use detective controls to discover how they did it and what they change. Then try to correct the things that have been changed. If it is not possible to correct, then recover the systems to their last known working state. This flow completely makes sense. However, someone can please explain me how System Images are corrective controls rather than recovery?

Below, you can find some examples to control elements and how they are categorized. Actually I wanted to embed an excel table, but both my poor blogging skills and Blogger unfriendliness did not allow me to.The explanation show the classification made in books and the second answers in paranthesis show my opinion. Please share your opinion with me.

Fence : Physical, Deterrent (Preventive)
Lighting : Physical, Deterrent (Detective)
Server Images : Technical, Corrective (Recovery)



No comments:

Post a Comment