Page 953 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 953

3.  Grant or restrict access based on the subject’s identity.

                4.  Monitor and record access attempts.


               A broad range of controls is involved in these steps. The three primary
               control types are preventive, detective, and corrective. Whenever
               possible you want to prevent any type of security problem or incident.
               Of course, this isn’t always possible and unwanted events occur. When
               they do, you want to detect the event as soon as possible. If you detect
               an event, you want to correct it.

               There are also four other access control types, commonly known as

               deterrent, recovery, directive, and compensating access controls.

               As you read about the controls in the following list, you’ll notice that
               some examples are used in more than one access control type. For
               example, a fence (or perimeter-defining device) placed around a
               building can be a preventive control because it physically bars
               someone from gaining access to a building compound. However, it is
               also a deterrent control because it discourages someone from trying to

               gain access.

               Preventive Access Control A preventive control attempts to thwart
               or stop unwanted or unauthorized activity from occurring. Examples
               of preventive access controls include fences, locks, biometrics,
               mantraps, lighting, alarm systems, separation-of-duties policies, job
               rotation policies, data classification, penetration testing, access control
               methods, encryption, auditing, the presence of security cameras or

               closed-circuit television (CCTV), smartcards, callback procedures,
               security policies, security awareness training, antivirus software,
               firewalls, and intrusion prevention systems.

               Detective Access Control A detective control attempts to discover
               or detect unwanted or unauthorized activity. Detective controls
               operate after the fact and can discover the activity only after it has
               occurred. Examples of detective access controls include security

               guards, motion detectors, recording and reviewing of events captured
               by security cameras or CCTV, job rotation policies, mandatory
               vacation policies, audit trails, honeypots or honeynets, intrusion
               detection systems, violation reports, supervision and reviews of users,
   948   949   950   951   952   953   954   955   956   957   958