Weekly Report #3
This week, your report should address the following:
- Consideration of risk response approaches (avoid, accept, mitigate, transfer)
- Application of security principles, including the defense-in-depth security principle
- Compliance issues
Security Control Types
- Physical controls: Tangible controls used to prevent or detect unauthorized access to the assets. Examples: fences, gates, guards, security badges and access cards, biometric access controls, security lighting, CCTVs, surveillance cameras, motion sensors, fire suppression, as well as environmental controls ( HVAC, humidity controls, etc.).
- Technical controls (aka logical controls): Hardware or software components used to protect assets. Examples: authentication solutions, firewalls, antivirus software, intrusion detection systems (IDSs), intrusion protection systems (IPSs), constrained interfaces, as well as access control lists (ACLs) and encryption measures.
- Administrative controls: Policies, procedures, or guidelines that define personnel or business practices in accordance with the organization’s security goals. These can apply to employee hiring and termination, equipment and Internet usage, physical access to facilities, separation of duties, data classification, and auditing. Security awareness training for employees also falls under the umbrella of administrative controls.
- Protect (Prevent): Controls in that category are designed to stop unauthorized activities from occurring. Examples: clean desk policy, firewall
- Detect: Controls in that category are used to detect and alert unauthorized activities in progress or after they have occurred. Example: intrusion detection system, CCTV
- Respond (Correct): Controls in that category are used to repair damage or restore resources and capabilities to their prior state following an unauthorized activity. Example: Restoring backups