CISSP For Dummies

Controls are steps in processes - or components in information systems - that are used to enforce compliance with business or security rules. The enforcement of a control can be based on technology, or it may be a manual step or procedure performed by an individual.

 Instant Answer   The major types of controls are

• Preventive controls: Used to prevent errors and unauthorized actions.

• Detective controls: Used to detect errors and unauthorized activities.

• Corrective controls: Used to reverse or minimize the impact of errors and unauthorized events. These are also known as recovery controls.

• Automatic controls: Those that automatically enforce a security policy.

• Manual controls: Those that must be proactively performed in order to enforce a security policy.

All the controls in this section fall into these categories. A control is preventive, detective, or corrective; also, the control is either automatic or manual.

Operations controls are the processes and procedures that are used to protect business operations and information. The major operations controls are

• Resource protection

• Privileged entity controls

• Change controls

• Media controls

• Administrative controls

• Trusted recovery

Resource protection

Resource protection is the broad category of controls that protects information assets and information infrastructure. The resources that require protection include

• Communications hardware and software: This category includes routers, switches, firewalls, load balancers, multiplexers, fax machines, Virtual Private Network (VPN) servers, and so on, as well as the software that these devices use.

• Computers and their storage systems: This group includes all corporate servers, Redundant Array of Independent Disks (RAID) systems, storage area networks (SANs), network attached storage (NAS), and backup devices.

• Business data: This category includes all stored information such as financial data, sales and marketing information, personnel and payroll data, customer and supplier data, and so on.

• System data: This category includes operating systems, utilities, userid and password files, audit trails, configuration files, and so on.

• Backup media: This category includes tapes, removable disks, and so on.

• Software: This category includes application source code, programs, tools, libraries, vendor software, and other proprietary software.

Privileged entity controls

Privileged entity controls are the mechanisms, generally built into computer operating systems, that give privileged access to hardware, software, and data. In UNIX and Windows, the controls that permit privileged functions reside in the operating system.

Change controls

Change controls are the people-operated processes that are used to govern architectural and configuration changes in a production environment. Rather than just make changes to systems and the way that they relate to each other, change control is a formal process of proposal, design, review, approval, implementation, and recordkeeping.

 Instant Answer   The two prevalent forms of change controls are change management and configuration management:

• Change management is the approval-based process that ensures that only approved changes are implemented.

• Configuration management is the control that records all the soft configuration (settings and parameters in the operating system, database, and application), and software changes that are performed with approval from the change management process.

Media controls

Media controls refer to a broad category of controls that are used to manage information classification and physical media. Information classification refers to the tasks of marking information according to its sensitivity, as well as the subsequent handling, storage, transmission, and disposal procedures that accompany each classification level. Physical media is similarly marked; likewise, controls specify handling, storage, and disposal procedures.

Administrative controls

Administrative controls refer to the family of controls that includes least privilege, separation of duties, and rotation of duties. These controls form the basis of many processes as well as access control and function control methodologies.

Trusted recovery

Trusted recovery is concerned with the processes and procedures that support the hardware or software recovery of a system. Specifically, the confidentiality and integrity of the information stored on and the functions served by a system being recovered must be preserved at all times.

The primary issue with system recovery is that a system may be operated briefly in maintenance or single-user mode in which all the software controls protecting the operating system and business data may not be functioning.

Organizations that are concerned with the integrity and confidentiality of data should have well-defined processes and procedures for system recovery to ensure that no inappropriate disclosure or leakage of sensitive information can occur.