Using Technology for Access Control Policy Enforcement

B.

The preventive/technical pairing uses technology to enforce access control policies.

TECHNICAL CONTROLS - Technical security involves the use of safeguards incorporated in computer hardware, operations or applications software, communications hardware and software, and related devices.

Technical controls are sometimes referred to as logical controls.

Preventive Technical Controls - Preventive technical controls are used to prevent unauthorized personnel or programs from gaining remote access to computing resources.

Examples of these controls include: Access control software.

Antivirus software.

Library control systems.

Passwords.

Smart cards.

Encryption.

Dial-up access control and callback systems.

Preventive Physical Controls - Preventive physical controls are employed to prevent unauthorized personnel from entering computing facilities (i.e., locations housing computing resources, supporting utilities, computer hard copy, and input data media) and to help protect against natural disasters.

Examples of these controls include: Backup files and documentation.

Fences.

Security guards.

Badge systems.

Double door systems.

Locks and keys.

Backup power.

Biometric access controls.

Site selection.

Fire extinguishers.

Preventive Administrative Controls Preventive administrative controls are personnel-oriented techniques for controlling peoples behavior to ensure the confidentiality, integrity, and availability of computing data and programs.

Examples of preventive administrative controls include: Security awareness and technical training.

Separation of duties.

Procedures for recruiting and terminating employees.

Security policies and procedures.

Supervision.

Disaster recovery, contingency, and emergency plans.

User registration for computer access.

Source: KRUTZ, Ronald L.

& VINES, Russel.

D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34.

The correct answer is B. Preventive/Technical.

Access control policies are designed to restrict access to resources based on certain criteria, such as the identity of the user, the time of day, or the location of the resource. There are several types of access control, including preventive, detective, and corrective control.

Preventive access control measures are designed to prevent unauthorized access before it occurs. These measures typically involve the use of technology, such as firewalls, intrusion detection systems, or access control lists, to enforce access control policies.

Technical controls are a type of preventive control that uses technology to enforce access control policies. For example, an access control list (ACL) is a technical control that specifies which users are allowed to access a particular resource based on their identity or group membership.

Administrative controls, on the other hand, are a type of preventive control that uses policies and procedures to enforce access control. For example, a security policy that requires users to use strong passwords is an administrative control.

Physical controls are another type of preventive control that uses physical barriers, such as locks or security cameras, to restrict access to resources.

Detective controls are designed to detect unauthorized access after it occurs. For example, an intrusion detection system may detect an unauthorized user attempting to access a system and alert the security team.

In summary, the pairing that uses technology to enforce access control policies is Preventive/Technical (option B).