top of page

Domain 2: Asset Security

Study Notes

Data Classification Labels

Click here for more information on What Are Incomparable Sensitivity Labels?

3 Main Categories of Controls

​

Technical Controls

Administrative Controls

Physical Controls

  • Establishing policies, procedures, baselines and guidelines

  • Security awareness training

  • Drug tests

  • Background screening

  • Auditing

  • Classifying data and labels

​

  • ENCRYPTION

  • Anti-Virus

  • Firewalls

  • IPSec, SSL, TLS, VPNs

  • VLANs, Zones, Subnets 

  • Security tokens

  • IDS and IPS

  • Trusted Platform Module

​

  • Locks

  • Security guards

  • Guard dogs

  • Fences, doors, walls, bollards

  • CCTV

  • CPTED

  • Bullet-proof windows

  • Cement barriers

Click here for more information on the different types of Access Control Categories and SubCategories

6 Subcategories of Controls 

Administrative Controls

  • Preventative

    • Non-Disclosure Agreement​

    • Sexual Harassment Agreement

    • Drug Tests

    • Employee Monitoring Policy

  • Deterrent

    • Security Awareness Training

    • ​"Authorized Access Only" sign ​​

  • Detective

    • Firewall logs​

    • Audits

    • Job Rotation

    • Mandatory Vacation

  • Corrective

    • Secure employee termination​

    • Paid/Unpaid administrative leave

  • Recovery

    • BCP/DRP​

    • IRP

    • COOP

    • Cold, warm, hot site 

  • Compensating/Policy

    • Standards, policies, procedures​

Technical Controls

Physical Controls

  • Preventative

    • Firewalls​, IPS

    • Biometric Devices 

    • Multi-Factor Authentication

  • Deterrent

    • Scramble keypad​

  • Detective

    • Network Traffic Logs

    • Access logs

    • IDS​

  • Corrective

    • TCP Timeouts ​

    • Dead Peer Detection

    • Null routes

  • Recovery

    • Backup drives or tapes​

    • Reconstruction of facility

    • Fixing fire or flood damage

  • Compensating/Policy

    • Taking company mandated security awareness quiz via webpage on corporate intranet

  • Preventative

    • Concrete walls​

    • Mantraps

  • Deterrent

    • Security guards​

    • CCTV

    • Barbed wire

  • Detective

    • CCTV

    • Surveillance Camera

  • Corrective

    • Fail-secure

    • Fail-open

  • Recovery

    • Repair Teams​

    • Physical site recovery

  • Compensating/Policy

    • Instructions​

    • Procedures

    • Guidelines

    • Safety Precautions

Preventative Controls

  • Spans administrative, technical, and physical controls to stop threats and risk to a system before it occurs.  

  • Firewalls are preventative controls because they prevent unauthorized access to the network or host

  • The concept of preventative control is that they are supposed to stop a threat from exploiting a risk

Deterrent Controls

  • Unlike preventative controls which deny access altogether, deterrent controls serve as a warning

  • For example, a door lock is an example of a physical deterrent control

  • An invalid SSL certificate warning is an example of a technical deterrent control

  • Deterrent controls can't stop you from taking an action, but they try to discourage it as much as possible

Detective Controls

  • The core concept of detective controls is that they are used for AFTER something has happened

  • Intrusion Detection Systems are used for AFTER a DDOS, IP Spoofing, or malware attack

  • CCTV, IDS systems, police detectives, HIDS, NIDS are controls for after something has happened

Corrective Controls

  • Kind of like a detective control but instead of waiting for an investigation, corrective controls REACT

  • An employee violated the terms of their Non-Disclosure Agreement? 

    • Corrective control: Fire them or some other form of reprimand ​ like unpaid leave 

  • An employee caught creating viruses or stealing information? 

    • Corrective control: Terminate the employee by first taking away laptop, then let HR break the news​

      • Remember: A disgruntled employee can be an insider threat​

        • An insider threat is the biggest type of threat to a company​

Recovery Controls

  • The big difference between corrective and recovery? When you think recovery, think BCP/DRP

  • When a disaster hits an organization, you want to recover as fast as possible

  • Recovery controls involve cold sites, warm sites, hot sites, reciprocal agreements, salvage teams

Compensating or Policy Based Controls

  • The concept of compensating control is a weird one to try and understand

  • Compensating control is like a control that won't work at the present time, but is used at a time of an incident

  • An example would be emergency flood lights.  You don't use emergency lights for regular lights, they are a compensating control when the power is out and light is required

bottom of page