Security Controls - CompTIA Security+ SY0-701 - 1.1
Summary
TLDRThis video script delves into the multifaceted world of IT security, emphasizing the importance of various security controls to safeguard data and physical assets. It categorizes controls into technical, managerial, operational, and physical, illustrating preventive, deterrent, detective, corrective, compensating, and directive control types. The script provides practical examples for each, highlighting the dynamic nature of security measures in an evolving technological landscape.
Takeaways
- 🛡️ Technical controls involve implementing security measures using technical systems like operating system policies, firewalls, and antivirus software.
- 📋 Managerial controls are policies and procedures that guide the management of computers, data, and systems within an organization.
- 👥 Operational controls rely on people to enforce security measures, such as security guards, awareness programs, and training sessions.
- 🏢 Physical controls are measures that restrict physical access to buildings, rooms, or devices, including guard shacks, fences, locks, and badge readers.
- 🚫 Preventive controls are designed to limit access to resources and can be technical, managerial, operational, or physical in nature.
- ⚠️ Deterrents may not prevent access but discourage potential attackers by making them reconsider their actions, fitting into all four control categories.
- 🕵️♂️ Detective controls identify and log breaches, providing warnings and information about attacks, and can be categorized as technical, managerial, operational, or physical.
- 🛠️ Corrective controls are applied after an event is detected to reverse the impact or minimize downtime, including technical backups, managerial policies, operational responses, and physical equipment.
- 🔄 Compensating controls are temporary measures used when resources are lacking to address a security event, and they can be technical, managerial, operational, or physical.
- 📜 Directive controls are weaker and involve directing individuals to act more securely, such as storing sensitive information in protected folders or following compliance policies.
- 🔄 The script emphasizes the adaptability and evolution of security controls, suggesting that organizations may have unique implementations and new controls may emerge.
Q & A
What are the primary objectives of implementing security controls in IT?
-The primary objectives of implementing security controls in IT are to prevent unauthorized access to systems, minimize the impact of security events that do occur, and limit the damage if an attacker gains access to the computing environment.
What are the four broad categories of security controls mentioned in the script?
-The four broad categories of security controls mentioned are technical controls, managerial controls, operational controls, and physical controls.
Can you explain what technical controls involve in the context of IT security?
-Technical controls in IT security involve implementing measures using technical systems such as setting up policies within an operating system, using firewalls, antivirus software, and other security measures to prevent unauthorized access and functions.
What are managerial controls and how do they differ from technical controls?
-Managerial controls are policies and procedures created to guide people on the best way to manage their computers, data, and systems. They differ from technical controls in that they rely on documented policies rather than technological implementations.
How do operational controls contribute to IT security?
-Operational controls contribute to IT security by using people to set and enforce security measures. Examples include security guards, awareness programs, and training sessions that help in understanding and implementing best practices for IT security.
What is the purpose of physical controls in an IT security context?
-Physical controls are designed to limit physical access to buildings, rooms, or devices. They include measures such as guard shacks, fences, locks, and badge readers to prevent unauthorized entry into secured areas.
Can you provide an example of a preventive control type in IT security?
-A preventive control type in IT security could be a firewall rule that prevents unauthorized access to a specific part of the network or a guard shack that checks identification of everyone entering a facility.
What is a deterrent control type and how does it function in security?
-A deterrent control type does not prevent access but discourages potential attackers, making them reconsider their actions. Examples include security information displayed on application splash screens or the threat of demotion or dismissal for policy violations.
What is the role of detective controls in identifying security breaches?
-Detective controls identify and log information about security breaches. They may involve reviewing system logs, login reports, or patrolling property to detect unauthorized access or activity.
How do corrective security controls help in the aftermath of a security incident?
-Corrective security controls are applied after an event is detected to reverse the impact or minimize downtime. Actions like restoring systems from backups, implementing policies for incident reporting, or contacting law enforcement are examples of corrective controls.
What is a compensating control and when might it be used?
-A compensating control is used when there isn't the ability to reverse the effects of a security event. It involves using other means to manage the security incident temporarily, such as blocking traffic with firewall rules or separating duties among staff.
What is the significance of directive controls in security practices?
-Directive controls are weaker security measures that direct individuals to act more securely. They include policies that require storing sensitive information in encrypted folders or signs indicating 'authorized personnel only' to guide access.
Outlines
🛡️ IT Security Risks and Control Categories
The first paragraph introduces the various security risks in IT and the importance of preparing for them. It emphasizes the need to protect not only data but also physical systems and people. The video will explore different security controls to prevent incidents and minimize their impact. Four broad categories of security controls are mentioned: technical, managerial, operational, and physical controls. Technical controls involve system-based implementations like firewalls and antivirus software. Managerial controls consist of policies and procedures to guide secure practices. Operational controls rely on human actions, such as security guards and awareness programs. Physical controls limit access to buildings or rooms through means like locks and badge readers. The paragraph sets the stage for a deeper dive into specific types of controls and their respective categories.
🔒 Types of Security Controls and Their Applications
This paragraph delves into the specifics of different control types used in IT security. It categorizes preventive controls, which limit access to resources, into the four previously mentioned control types. For instance, firewall rules are a technical preventive control, while guard shacks are operational. The paragraph then discusses deterrent controls that discourage potential attackers through measures like splash screens or the threat of demotion. Detective controls, which identify and log breaches, are exemplified by system log reviews and property patrols. Corrective controls are introduced as post-breach measures that can reverse or mitigate the impact of security incidents, such as restoring from backups or contacting law enforcement. Compensating controls are temporary measures taken when a direct resolution is not immediately possible, like blocking traffic to patch a vulnerability. Lastly, directive controls are weaker, guiding users to more secure practices, such as storing sensitive information in encrypted folders. The paragraph concludes by illustrating how these controls fit into the four categories, providing examples for each.
📚 Security Policies and Training for Enhanced Protection
The final paragraph focuses on directive control types, which are less about enforcing security and more about guiding users towards secure behaviors. It discusses the importance of having clear security policies and compliance procedures to ensure everyone understands the necessary processes. Training users on security policies is highlighted as a way to reinforce these practices. The paragraph also touches on physical directive controls like signs indicating 'authorized personnel only'. It concludes by emphasizing that the examples given are not exhaustive and that different organizations may use different controls. It acknowledges the evolving nature of technology and security processes, suggesting that new control types may emerge and existing ones may be adapted to fit changing needs.
Mindmap
Keywords
💡IT security
💡Security risks
💡Technical controls
💡Managerial controls
💡Operational controls
💡Physical controls
💡Preventive controls
💡Deterrent
💡Detective controls
💡Corrective controls
💡Compensating controls
💡Directive controls
Highlights
IT security involves preparing for various security risks to protect data and physical systems.
Security controls can prevent events, minimize impact, and limit damage from unauthorized access.
Technical controls are implemented using technical systems like operating system policies, firewalls, and antivirus software.
Managerial controls involve creating policies and procedures to guide secure management of computers and data.
Operational controls utilize people for security, such as security guards, awareness programs, and monthly training sessions.
Physical controls limit physical access to buildings, rooms, or devices through measures like guard shacks, fences, locks, and badge readers.
Preventive controls restrict access to resources, like firewall rules or guard shacks checking identification.
Deceptive controls discourage unauthorized access, such as splash screens with security information or the threat of demotion.
Detective controls identify and log breaches, like system log reviews or property patrols for security breaches.
Corrective controls are applied after a breach to reverse impacts or minimize downtime, such as restoring from backups.
Compensating controls provide alternative means of security when a direct solution is not available, like blocking traffic until a patch is applied.
Directive controls guide users to perform more secure actions, like storing sensitive information in encrypted folders.
Compliance policies and procedures are part of directive controls, ensuring everyone understands proper security processes.
Security policy training is an operational directive control, educating users on the importance of security policies.
Signs like 'authorized personnel only' are physical directive controls, influencing behavior without physical barriers.
Examples provided for security controls are not exhaustive and can vary based on technological changes and security processes.
Different organizations may use unique security controls based on their specific needs and processes.
Transcripts
If you've spent any amount of time in IT security,
you know there are many different security risks
that you need to prepare for.
The attackers are looking for different ways
to gain access to our systems.
And we need to find different ways to prevent them
from getting that access.
But of course, we're not just protecting data.
We're also protecting physical systems, buildings, people,
and everything in our organization.
In this video, we'll look at different security controls
and how they can be used to prevent events from occurring
in the first place.
We can minimize the impact of events
that ultimately do occur.
And in many cases, we can limit the damage
if someone does find a way into our computing environment.
Let's look at some very broad categories
of security controls.
The first category we'll look at are technical controls.
These are controls that we implement using
some type of technical system.
So if you're someone who is managing an operating system,
you might set up policies and procedures
within the operating system that would allow or disallow
different functions from occurring.
We can also put firewalls, antivirus,
and other types of software into this category
of technical controls.
As a security administrator, you'll
also want to create a series of policies that explain to people
the best way to manage their computers, their data,
or their other systems.
We refer to these as managerial controls.
So if you are creating a series of policies and procedures
or you're creating an official security policy documentation,
you'll often put these managerial controls inside
of your security policies.
You might also see these managerial controls implemented
into day-to-day processes as part of your standard operating
procedures.
Another important control category
are the operational controls.
Unlike using technology to manage these controls,
operational controls are using people
to be able to set these controls.
So if you have security guards at your place of work,
you're doing monthly lunch and learns,
or you have some type of posters or awareness program
at work to help explain the best practices for IT security,
then you can put these into the category
of operational controls.
And the last category that we have are physical controls.
As the name implies, these are controls
that would limit someone's physical access to a building,
a room, or a device.
This might be something like a guard shack.
So they can check everyone coming into a particular area.
Maybe there are fences and locks to keep people out.
Or maybe use badge readers to limit the access
into certain areas within your building.
So in this video, we'll focus on these four categories
of controls-- the technical, managerial,
operational, and physical.
And in this video, we'll look at a number of different control
types and determine where we would fit certain control
types into certain categories.
The first control type we'll look at
is a preventive control type.
This is a control type that limits someone access
to a particular resource.
You can think of this as something
like a firewall rule, which would prevent somebody
from gaining access to a particular area
of your network.
Or it may be something that's more tangible, such as a guard
shack checking everyone's identification
as they come into your facility.
A good way to test yourself with these different control types
is to determine what category will a certain type fit into.
So when we deal with preventive control types,
we can look at firewall rules.
And since those are handled at a technical level,
then those would fit into the technical category.
As we hire people, we may want to set a certain type of policy
for onboarding.
And those would be policies set as part
of a managerial category.
We've already mentioned a guard shack
checking everyone's identification.
And since that's done by a person,
we can fit that into an operational category.
And lastly, we have door locks, which
are physical devices preventing access to a room.
So that would fit into the physical category.
Another important control type is a deterrent.
And although a deterrent may not prevent someone
from accessing a resource, it may give them a discouragement
or have them think twice about the attack
that they're planning.
For example, when you start an application,
there may be a splash screen that
provides security information and restricts
people who are not authorized from gaining access
to that system.
Or there might be the threat of a demotion or a dismissal
if somebody gains access to data that they should not
be accessing.
There might also be a front reception desk
greeting everyone who walks in or warning signs telling people
that if they gain access to this facility
that there would be consequences.
These fit perfectly into our four categories.
A splash screen is a deterrent that fits
into the technical category.
A demotion is a managerial category.
The reception desk fits into the operational category.
And the warning signs are a physical deterrent.
A detective control type can identify and, in some cases,
warn us when a particular breach has occurred.
This may not prevent access.
But it would give us a warning and log information
about that particular attack.
An example of a detective control type
may be a process of collecting, reviewing,
and going through system logs.
Or you may be reviewing log-in reports about who's
gained access to your systems.
There might be someone patrolling the property,
looking for cases where someone might
have broken into your facility.
And you might have motion detectors
so that you're automatically notified
if something is moving in an area
where normally there should be no motion.
The system logs that are detailing everything that's
going on in your systems would fit
into the technical category.
Someone reviewing log-in reports every day or every week
would fit into the managerial category.
Someone patrolling the property would
be an operational category.
And then the motion detectors provide us
with a physical category.
If there is a notification that someone has breached a system
or gained access into a certain area of your business,
then you want to apply a corrective security control.
A corrective security control is something
that occurs after the event has been detected.
This is sometimes able to reverse the impact
of that particular event.
Or you may be able to continue operating
with your business with minimal downtime,
thanks to these corrective controls.
For example, if a computer has been infected with ransomware
and it has encrypted everything on that system
and made all of the data inaccessible,
you can simply erase everything on that computer
and restore it back to a known good system using your backups.
You might also want to create policies so
that if there are security issues
or something unusual that you see happen,
then those would be rolled up into an alert
or some type of notification.
And if you find that someone has jumped your fence
or they've tried to get in through a door
in your building, you may need to contact law enforcement
to be able to correct that particular incident.
And if something is caught on fire,
you can grab a fire extinguisher and make sure
that that fire doesn't spread any further, thereby correcting
that particular event.
And as you might expect, those are four events
that certainly fits into the four categories that we have.
For example, recovering from a backup
would be a technical category.
Being able to have policies for reporting issues
when they occur would be in the managerial category.
Contacting authorities for some type of legal issue
would be an operational category.
And your fire extinguisher is a physical category.
You might also find yourself in a situation
where a security event has occurred,
but you don't have the resources or means
to be able to reverse what that particular event has caused.
In those cases, you may want to use a compensating control
type, which provides you with using other means in a way
to control that particular security event.
This may be something you use on a temporary basis
until you're able to put together a plan to resolve
the overall security incident.
For example, you might have an application
that is important for your organization.
But the application developer has told you
that they've identified a significant security
vulnerability in that software.
Since the application developer is
going to provide you with a patch sometime in the future,
you may want to set some type of firewall rule today that
would prevent somebody from exploiting
that particular vulnerability.
Or this might be a case where you
can separate different duties between different individuals
and limit the scope of any type of security concern.
Or you might have multiple security guards
all working at the same time to make sure
that no single security guard has
complete access to everything in your environment.
And if you lose power in your building,
you might want to have a generator so that while you're
waiting for main power to be restored,
you can compensate by turning on your generator.
Those are our four different categories
of a compensating control.
We have a technical category of blocking that traffic
instead of patching the application.
There may be a separation of duties for the people
that work in your organization.
And that fits into the managerial category.
You might require multiple security staff
working simultaneously.
And that would be the operational category.
And lastly, having a power generator
to compensate for a power outage fits
into the physical category.
The last control type we'll look at is a directive control type.
This is a relatively weak security control
because it is one where you are directing someone
to do something more secure rather than less secure.
For example, you may require everyone
to store sensitive information into a protected and encrypted
folder on their system.
This requires the user to make a decision
about what data may be sensitive and what
data may be nonsensitive.
And then they are directed to store the sensitive information
in the protected folder.
As part of our security policies,
we may want to add compliance policies and procedures so
that everyone understands the proper processes to use
for security in your environment.
You might also train users on what the proper security
policies might be.
And another example of a directive control
may be a sign that you put on a door that says
"authorized personnel only."
There might not be a lock on the door.
But the sign saying "authorized personnel only"
directs people to either enter or not
enter that particular door.
So to summarize these, our file storage policies
will direct people to this technical category.
A compliance policy fits into a managerial category.
Someone performing a security policy training course
would be a directive control type fitting
into the operational category.
And a sign on a door that says "authorized personnel only"
fits into the physical category.
The examples I provided for the different security
controls and the categories where they fit
are simply one single example.
And you can probably think of a number of different examples
that you could fit into any of those squares in our matrix.
You could probably also think of different security controls
that might fit into a different category of control
or a different type of control.
You might also find as our technology changes
and our security processes evolve
that there might be new control types that we
could fit into our chart.
And of course, not everybody uses the same security
controls.
So the ones that you use in your organization
may be very different than someone else's organization.
浏览更多相关视频
![](https://i.ytimg.com/vi/NLzgcDX6rkE/hq720.jpg)
The 3 Types Of Security Controls (Expert Explains) | PurpleSec
![](https://i.ytimg.com/vi/ifu_GzwVv7U/hq720.jpg)
Access Controls Part 1: Computer Security Lectures 2014/15 S2
![](https://i.ytimg.com/vi/YtT8q2mUM9c/hq720.jpg)
Physical Security - CompTIA SY0-701 Security+ - 1.2
![](https://i.ytimg.com/vi/Dk-ZqQ-bfy4/hq720.jpg)
8 Most Common Cybersecurity Threats | Types of Cyber Attacks | Cybersecurity for Beginners | Edureka
![](https://i.ytimg.com/vi/H05zRB9Ju_k/hq720.jpg?sqp=-oaymwEmCIAKENAF8quKqQMa8AEB-AH-CYAC0AWKAgwIABABGBEgYihyMA8=&rs=AOn4CLAYu-PYw8oZMp-7fm_SwpsDvQEYKg)
Enterprise Computing Preliminary Course Unit 3: Principals Of Cybersecurity
![](https://i.ytimg.com/vi/9ANHcZwJfdQ/hq720.jpg?sqp=-oaymwEmCIAKENAF8quKqQMa8AEB-AH-CYAC0AWKAgwIABABGH8gEygUMA8=&rs=AOn4CLDiBkH6JXJAZvULXmxZtVkdZLxZOQ)
Access Controls - CompTIA Security+ SY0-701 - 4.6
5.0 / 5 (0 votes)