I am working with Access Control issues since the
first security audit I participated, more than 10 years ago, but I must admit
that I never approached to the issue the way it is demonstrated in CISSP. The
structural approach for makes the understanding of different types of Access
Control methods but it also brings some level of confusion.
Let's remember how ISC2 categorizes Access Control methods by type.
Access Control activities fall into one of Administrative, Technical and Physical types,
which is crystal clear, no confusion so far. Other than these types there are
categories which are Preventive, Deterrent, Detective, Corrective,
Recovery and Compensating. That's where things start to
get complicated.
For CISSP Preparation purposes, it is advised to think about
the context in which the access control element employed. To be clearer, let's
think about Firewalls. As we all agree, Firewalls are preventive control
elements, point. But some people also think that (they are completely right to
think that way, by the way) intruders who try to attack a company will discover
the presence of a firewall and stop attacking, so it can also be considered as
a deterrent control. But for exam purposes, it has to fall in only one of the
categories and that will be Preventive. So far, so good.
Compensating controls can be considered a part from
the other 5. Compensating controls, as the name implies, replace another
control because of a convenience (it is mostly financial). Your company may
choose, instead of building a highly secure room to store sensitive information
for $300,000 to employ a security guard who in the end costs just $60,000
(numbers are just given for the example, really do not how much security guards
are paid :)). This is a good example for compensating controls. I am sure you
have seen many others around you.
From the 5 that are left, corrective and recovery
controls can be mixed by many (including me!) They explain the way controls work
as such: Prevent people from accessing to the information they are not
authorized, if you fail then use detective controls to discover how they did it
and what they change. Then try to correct the things that have been changed. If
it is not possible to correct, then recover the systems to their last known
working state. This flow completely makes sense. However, someone can please
explain me how System Images are corrective controls rather than recovery?
Below, you can find some examples to
control elements and how they are categorized. Actually I wanted to embed an excel table, but both my poor blogging skills and Blogger unfriendliness did not allow me to.The explanation show the
classification made in books and the second answers in paranthesis show my opinion. Please share your opinion
with me.
Fence : Physical, Deterrent (Preventive)
Lighting : Physical, Deterrent (Detective)
Server Images : Technical, Corrective (Recovery)
No comments:
Post a Comment