Create
Learn
Share

Control Combinations

rename
dobaweve's version from 2018-02-23 00:32

Section

Question Answer
Preventive/AdministrativeIn this pairing, we place emphasis on "soft" mechanisms that support the access control objectives. These mechanisms include organizational policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks.
Preventive/TechnicalThe preventive/technical pairing uses technology to enforce access control policies. These technical controls are also known as logical controls and can be built into the operating system, can be software applications, or can be supplemental hardware/software units. Some typical preventive/technical controls are protocols, encryption, smart cards, biometrics (for authentication), local and remote access control software packages, call-back systems, passwords, constrained user interfaces, menus, shells, database views, limited keypads, and virus scanning software. Protocols, encryption, and smart cards are technical mechanisms for protecting information and passwords from disclosure. Biometrics apply technologies such as fingerprint, retina, and iris scans to authenticate individuals requesting access to resources, and access control software packages manage access to resources holding information from subjects local to the information system or from those at remote locations. Callback systems provide access protection by calling back the number of a previously authorized location, but this control can be compromised by call forwarding. Constrained user interfaces limit the functions that a user can select. For example, some functions might be "grayed-out" on the user menu and cannot be chosen. Shells limit the system-level commands that an individual or process can use. Database views are mechanisms that restrict the information that a user can access in a database. Limited keypads have a small number of keys that the user can select. Thus, the functions that are intended not to be accessible by the user are not represented on any of the available keys.
Preventive/PhysicalMany preventive/physical measures are intuitive. These measures are intended to restrict the physical access to areas with systems holding sensitive information. A circular security perimeter that is under access control defines the area or zone to be protected. Preventive/physical controls include fences, badges, multiple doors (a man-trap that consists of two doors physically separated so that an individual can be "trapped" in the space between the doors after entering one of the doors), magnetic card entry systems, biometrics ( for identification), guards, dogs, environmental control systems (temperature, humidity, and so forth), and building and access area layout. Preventive/ physical measures also apply to areas that are used for storage of the backup data files.
Detective/AdministrativeSeveral detective/administrative controls overlap with preventive/administrative controls because they can be applied for the prevention of future security policy violations or to detect existing violations. Examples of such controls are organizational policies and procedures, background checks, vacation scheduling, the labeling of sensitive materials, increased supervision, security awareness training, and behavior awareness. Additional detective/ administrative controls are job rotation, the sharing of responsibilities, and reviews of audit records.
Detective/TechnicalThe detective/technical control measuresare intended to reveal the violations of security policy by using technical means. These measures include intrusion detection systems and automatically generated violation reports from audit trail information. These reports can indicate variations from "normal" operation or detect known signatures of unauthorized access episodes. In order to limit the amount of audit information flagged and reported by automated violation analysis and reporting mechanisms, clipping levels can be set. Using clipping levels refers to setting allowable thresholds on a reported activity. For example, a clipping level of three can be set for reporting failed logon attempts at a workstation. Thus, three or fewer logon attempts by an individual at a workstation are not reported as a violation, thus eliminating the need for reviewing normal logon entry errors.
Preventive/AdministrativeIn this pairing, we place emphasis on "soft" mechanisms that support the access control objectives. These mechanisms include organizational policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks.
Preventive/TechnicalThe preventive/technical pairing uses technology to enforce access control policies. These technical controls are also known as logical controls and can be built into the operating system, can be software applications, or can be supplemental hardware/software units. Some typical preventive/technical controls are protocols, encryption, smart cards, biometrics (for authentication), local and remote access control software packages, call-back systems, passwords, constrained user interfaces, menus, shells, database views, limited keypads, and virus scanning software. Protocols, encryption, and smart cards are technical mechanisms for protecting information and passwords from disclosure. Biometrics apply technologies such as fingerprint, retina, and iris scans to authenticate individuals requesting access to resources, and access control software packages manage access to resources holding information from subjects local to the information system or from those at remote locations. Callback systems provide access protection by calling back the number of a previously authorized location, but this control can be compromised by call forwarding. Constrained user interfaces limit the functions that a user can select. For example, some functions might be "grayed-out" on the user menu and cannot be chosen. Shells limit the system-level commands that an individual or process can use. Database views are mechanisms that restrict the information that a user can access in a database. Limited keypads have a small number of keys that the user can select. Thus, the functions that are intended not to be accessible by the user are not represented on any of the available keys.
Preventive/PhysicalMany preventive/physical measures are intuitive. These measures are intended to restrict the physical access to areas with systems holding sensitive information. A circular security perimeter that is under access control defines the area or zone to be protected. Preventive/physical controls include fences, badges, multiple doors (a man-trap that consists of two doors physically separated so that an individual can be "trapped" in the space between the doors after entering one of the doors), magnetic card entry systems, biometrics ( for identification), guards, dogs, environmental control systems (temperature, humidity, and so forth), and building and access area layout. Preventive/ physical measures also apply to areas that are used for storage of the backup data files.
Detective/AdministrativeSeveral detective/administrative controls overlap with preventive/administrative controls because they can be applied for the prevention of future security policy violations or to detect existing violations. Examples of such controls are organizational policies and procedures, background checks, vacation scheduling, the labeling of sensitive materials, increased supervision, security awareness training, and behavior awareness. Additional detective/ administrative controls are job rotation, the sharing of responsibilities, and reviews of audit records.
Detective/TechnicalThe detective/technical control measures are intended to reveal the violations of security policy by using technical means. These measures include intrusion detection systems and automatically generated violation reports from audit trail information. These reports can indicate variations from "normal" operation or detect known signatures of unauthorized access episodes. In order to limit the amount of audit information flagged and reported by automated violation analysis and reporting mechanisms, clipping levels can be set. Using clipping levels refers to setting allowable thresholds on a reported activity. For example, a clipping level of three can be set for reporting failed logon attempts at a workstation. Thus, three or fewer logon attempts by an individual at a workstation are not reported as a violation, thus eliminating the need for reviewing normal logon entry errors.
memorize