Page 182 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 182
They are sometimes referred to as management controls. These
controls focus on personnel and business practices. Examples of
administrative controls include policies, procedures, hiring practices,
background checks, data classifications and labeling, security
awareness and training efforts, vacation history, reports and reviews,
work supervision, personnel controls, and testing.
Physical
Physical controls are items you can physically touch. They include
physical mechanisms deployed to prevent, monitor, or detect direct
contact with systems or areas within a facility. Examples of physical
controls include guards, fences, motion detectors, locked doors, sealed
windows, lights, cable protection, laptop locks, badges, swipe cards,
guard dogs, video cameras, mantraps, and alarms.
Applicable Types of Controls
The term security control refers to a broad range of controls that
perform such tasks as ensuring that only authorized users can log on
and preventing unauthorized users from gaining access to resources.
Controls mitigate a wide variety of information security risks.
Whenever possible, you want to prevent any type of security problem
or incident. Of course, this isn’t always possible, and unwanted events
occur. When they do, you want to detect the events as soon as possible.
And once you detect an event, you want to correct it.
As you read the control descriptions, notice that some are listed as
examples of more than one access-control type. For example, a fence
(or perimeter-defining device) placed around a building can be a
preventive control (physically barring someone from gaining access to
a building compound) and/or a deterrent control (discouraging
someone from trying to gain access).
Deterrent
A deterrent control is deployed to discourage violation of security
policies. Deterrent and preventive controls are similar, but deterrent
controls often depend on individuals deciding not to take an unwanted
