CompTIA Security+ SY0-601 – 5.1 Various types of controls

1. Control Types and category

In this video I’m going to be covering different categories and types of controls that are on your exam. Now this is a very good topic for exam questions. They will test the hell out of you on this. You want to make sure you know it well. So there are three categories of controls that we need to talk about and there are six control types and they generally go together are so let’s go through what they are and how controls fall into them. First of all, what are controls? Well, controls are the things we use to secure our environment. A Firewall is a preventive control. So the security guard is a preventive control. User Awareness training, that’s a control configuring, an IDs, that’s a control.

So these controls that we implement, all the controls that we have talked about in this class and we’re going to talk about basically falls into these control types and categories. Let’s take a look at what they are. So the first thing up I have here is going to be the concept of the concept of categories. So there’s three categories managerial or management controls, operational controls and technical controls. Now management controls relates to what management is going to be doing more of management of information security. So management controls controls that falls in here are going to be things like risk assessment, doing different types of planning and planning for different types of how we’re going to manage security in the future.

And currently systems acquisitions or acquiring systems, how are we going to do that? And then also the other ones are going to be things like Certifying systems and Accrediting systems to come into production because generally management will determine should we be installed in systems on our network, so they’re going to credit those systems to be installed. The next part we have is operational control. Now operational control includes a lot operation control is directly dealing with people, it’s implemented and executed by people. And operational controls are going to be things that we’ll do to secure personnel safety. Environmental controls such as HVAC systems contingency, disaster recovery planning, VCP planning, configuration, maintenance of physical environments.

It also includes media protection, physical media protection, incident responses and also we have user and awareness training. So all of that is going to apply to operational controls. Now the other thing we have are technical controls and this is where you tech folks are going to like. This is doing identification and authentication such as using biometric systems. This is where we’re going to have different forms of technical access controls like firewalls, IDs systems, login and monitoring our computer systems and different types of communication protections. And also encryption falls into these categories. So these are the three categories you have managerial, operational and technical. Now the other thing here are control types. Here you have six of them.

Now a preventive control can stop someone from coming into your network.Preventive controls are stopping control. Security guards can stop someone. A security dog, a firewall can stop someone. So these are preventive controls. They can prevent intrusion. Detective controls can detect intrusions are happening in your network. Think of an intrusion detection system, think of camera systems also could do that. You also have corrective controls. Corrective controls is when there is an intrusion that things needs to be fixed. You’re going to have to reimage the machine as a corrective control. Reinstalling windows or recovering data. How do we scare off intruders? Well, cameras are a great way to detect intruders.

Our sensor systems, different types of sensors like motion detectors. But cameras are great deterrence security guards. Notice how these things have fallen into multiple control types. Security guards also great deterrent controls. So deterrent controls are controls that scares people off. One of the last one here is physical control. You notice I skip one, I’ll connect it out in a minute. Physical controls are things that you can physically touch and feel. Things like cable locks to lock down a computer, security guards, cameras, door locks, guard dogs, HVAC systems to keep your environment cool. These are all considered physical. So if you can touch and feel it, it’s generally considered a physical control.

Now what happens if you don’t have the best control? Well, there’s many times an organization may not have the best control out there, so they have to do a compensate and control. For example, you know what’s a good control to have? Separation of duty, in which case you break up the duties amounts how the task people are doing. This helps to reduce fraud. If one person can write the check, sign the check and cash the check, but they can do a lot of fraud because nobody’s going to check somebody stealing money. But once you do separation of duties and then you will break up into three different people. But in order to do this, you need to have money and companies may not have the best control. Separation is a great control.

So what you do have compensated controls. What you have to do is monitor the user more so you don’t have the best control. Take the second best one that’s considered a compensating control. Okay, make sure watch this video again, review this section again. You’re probably going to get a question or two on the exam where they’re going to give you a list of controls and they’re going to say which one of these is going to stop? But which one of these are going to be able able to detect an intrusion? Which one of these are operational? Which one of these are technical controls? So you’re going to have to actually know what this is when it comes to taking your exam.

• Category: Uncategorized