One of the main reasons to have a variety of access-control types is to provide the organization with true defense in depth. Each control type provides a different level of protection, and because each level can be tweaked to meet the needs of the organization, the security administrator has a very granular level of control over the security mechanisms. Security mechanisms can serve many purposes, although they are primarily used to prevent, detect, or recover from problems. The best approach is for the organization to focus the bulk of its controls on prevention because this allows the organization to stop a problem before it starts. The three access-control types include administrative, technical, and physical controls.
Administrative Controls
Administrative controls are the policies and procedures implemented by the organization. Preventive administrative controls can include security awareness training, strong password policies, and robust pre-employment checks.
Technical Controls
Technical controls are the logical controls you have put in place to protect the IT infrastructure. Technical controls include strong authentication (biometrics or two-factor), encryption, network segmentation, demilitarized zones (DMZs), and antivirus controls.
Physical Controls
Physical controls are the ones you can most likely see. These controls protect against theft, loss, and unauthorized access. Examples of physical access controls include guards, gates, locks, guard dogs, closed-circuit television (CCTV), and alarms.
Be sure you understand the three types of controls that can be used to limit accessadministrative, technical, and physical controlsand what is contained within each set. This is considered required knowledge for the CISSP exam. |
The CISSP Cram Sheet
A Note from Series Editor Ed Tittel
About the Author
Acknowledgments
We Want to Hear from You!
Introduction
Self-Assessment
The CISSP Certification Exam
Physical Security
Security-Management Practices
Access-Control Systems and Methodology
System Architecture and Models
Telecommunications and Network Security
Applications and Systems-Development Security
Operations Security
Business Continuity Planning
Law, Investigations, and Ethics
Cryptography
Practice Exam 1
Answers to Practice Exam 1
Practice Exam 2
Answers to Practice Exam 2