Control Types and Purposes
You achieve access control through an entire set of controls which, identified by purpose, include
Preventive controls, for reducing risk
Detective controls, for identifying violations and incidents
Corrective controls, for remedying violations and incidents and improving existing preventive and detective controls
Deterrent controls, for discouraging violations
Recovery controls, for restoring systems and information
Compensating controls, for providing alternative ways of achieving a task
You implement most access control mechanisms with the primary goal of reducing risk (that is, they’re preventive in nature). Detective, corrective, deterrent, recovery, and compensating controls work in a complementary manner with preventive controls to help create an organization’s overall security posture.
For example, detective controls help to determine when preventive controls have failed, been bypassed, or are otherwise ineffective or non-existent. Corrective controls help an organization appropriately address access violations or other security incidents. Deterrent controls dissuade malicious or unauthorized activity. Recovery controls return systems and information to their original capabilities when damage has occurred, and compensating controls provide substitute control options for management when other more effective controls aren’t possible or feasible.
Many access control mechanisms aren’t mutually exclusive in purpose or function. For example, a security guard serves primarily a preventive and detective function, but can also be a strong deterrent and, with proper equipment and training, can assist in correcting and recovering from a security incident.
To keep all these concepts nicely organized, the various controls mentioned in the preceding list are often divided up into three distinct control categories: administrative, technical, and physical.
Access controls can be administrative, technical, or physical.
Administrative controls
Administrative controls include the policies and procedures that an organization implements as part of its overall information security strategy. Administrative controls ensure that technical and physical controls are understood and properly implemented in accordance with the organization’s security policy. The purpose of administrative controls is most often preventive and detective, although you can also implement them as deterrent and compensating controls. Administrative controls may include
Policies, standards, guidelines, and procedures
Security awareness training
Asset classification and control
Employment policies and personnel practices (background checks, job rotations, and separation of duties and responsibilities)
Account administration
Account, log, and journal monitoring
Review of audit trails
We discuss administrative controls in greater detail in Chapters 6 and 10.
Technical controls
Technical (or logical) controls use hardware and software technology to implement access control.
Technical controls (or logical controls) are the hardware and software mechanisms used to implement access controls. The CISSP exam uses both terms interchangeably, and they refer to the same thing.
Preventive technical controls include
Encryption: Data Encryption Standard (DES), Advanced Encryption Standard (AES), and Merkle-Hellman Knapsack
Access control mechanisms: Biometrics, smart cards, and tokens
Access control lists: Permission lists that define what a subject can or cannot do to an object
Remote access authentication protocols: Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Remote Authentication Dial-In User Service (RADIUS), and Lightweight Directory Access Protocol (LDAP)
Detective technical controls include
Violation reports
Audit trails
Network monitoring and intrusion detection
Although technical controls are primarily preventive and detective, you may also use them for corrective, deterrent, and recovery purposes.
Technical controls are the focus of this chapter; we also discuss them in Chapters 5 through 8.
Physical controls
Physical controls ensure the safety and security of the physical environment. These are primarily preventive or detective in nature.
Preventive physical controls include
Security perimeters, such as fences, locked doors, and restricted areas
Guards and dogs
Detective physical controls include
Motion detectors
Video cameras
Often, physical controls are also deterrent in nature. For example, fences, locked doors, security guards and dogs, motion detectors, and video cameras, in addition to being preventive and detective controls, also function as effective deterrent controls, in many cases.
We discuss physical controls in Chapter 13.