Page 183 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 183
action. In contrast, a preventive control actually blocks the action.
Some examples include policies, security-awareness training, locks,
fences, security badges, guards, mantraps, and security cameras.
Preventive
A preventive control is deployed to thwart or stop unwanted or
unauthorized activity from occurring. Examples of preventive controls
include fences, locks, biometrics, mantraps, lighting, alarm systems,
separation of duties, job rotation, data classification, penetration
testing, access-control methods, encryption, auditing, presence of
security cameras or closed-circuit television (CCTV), smartcards,
callback procedures, security policies, security-awareness training,
antivirus software, firewalls, and intrusion prevention systems (IPSs).
Detective
A detective control is deployed to discover or detect unwanted or
unauthorized activity. Detective controls operate after the fact and can
discover the activity only after it has occurred. Examples of detective
controls include security guards, motion detectors, recording and
reviewing of events captured by security cameras or CCTV, job
rotation, mandatory vacations, audit trails, honeypots or honeynets,
intrusion detection systems (IDSs), violation reports, supervision and
reviews of users, and incident investigations.
Compensating
A compensation control is deployed to provide various options to
other existing controls to aid in enforcement and support of security
policies. They can be any controls used in addition to, or in place of,
another control. For example, an organizational policy may dictate
that all PII must be encrypted. A review discovers that a preventive
control is encrypting all PII data in databases, but PII transferred over
the network is sent in cleartext. A compensation control can be added
to protect the data in transit.
Corrective
A corrective control modifies the environment to return systems to
