Risk Mitigation and Risk Reduction Controls for Information Security

C.

Security is generally defined as the freedom from danger or as the condition of safety.

Computer security, specifically, is the protection of data in a system against unauthorized disclosure, modification, or destruction and protection of the computer system itself against unauthorized use, modification, or denial of service.

Because certain computer security controls inhibit productivity, security is typically a compromise toward which security practitioners, system users, and system operations and administrative personnel work to achieve a satisfactory balance between security and productivity.

Controls for providing information security can be physical, technical, or administrative.

These three categories of controls can be further classified as either preventive or detective.

Preventive controls attempt to avoid the occurrence of unwanted events, whereas detective controls attempt to identify unwanted events after they have occurred.

Preventive controls inhibit the free use of computing resources and therefore can be applied only to the degree that the users are willing to accept.

Effective security awareness programs can help increase users level of tolerance for preventive controls by helping them understand how such controls enable them to trust their computing systems.

Common detective controls include audit trails, intrusion detection methods, and checksums.

Three other types of controls supplement preventive and detective controls.

They are usually described as deterrent, corrective, and recovery.

Deterrent controls are intended to discourage individuals from intentionally violating information security policies or procedures.

These usually take the form of constraints that make it difficult or undesirable to perform unauthorized activities or threats of consequences that influence a potential intruder to not violate security (e.g., threats ranging from embarrassment to severe punishment)

Corrective controls either remedy the circumstances that allowed the unauthorized activity or return conditions to what they were before the violation.

Execution of corrective controls could result in changes to existing physical, technical, and administrative controls.

Recovery controls restore lost computing resources or capabilities and help the organization recover monetary losses caused by a security violation.

Deterrent, corrective, and recovery controls are considered to be special cases within the major categories of physical, technical, and administrative controls; they do not clearly belong in either preventive or detective categories.

For example, it could be argued that deterrence is a form of prevention because it can cause an intruder to turn away; however, deterrence also involves detecting violations, which may be what the intruder fears most.

Corrective controls, on the other hand, are not preventive or detective, but they are clearly linked with technical controls when antiviral software eradicates a virus or with administrative controls when backup procedures enable restoring a damaged data base.

Finally, recovery controls are neither preventive nor detective but are included in administrative controls as disaster recovery or contingency plans.

Reference(s) used for this question Handbook of Information Security Management, Hal Tipton.

The correct answer is C: Physical, technical, and administrative.

Risk mitigation and risk reduction controls are an essential part of information security management. They are implemented to minimize the negative impact of potential security incidents and to ensure the confidentiality, integrity, and availability of information assets.

The controls can be classified into three main categories based on their purpose and functionality:

1. Physical controls: These controls are designed to protect the physical environment in which the information assets are located. Examples include security cameras, access control systems, locks, fences, and environmental controls (e.g., fire suppression systems).

2. Technical controls: These controls are designed to protect the information assets through technological means. Examples include firewalls, intrusion detection systems, encryption, antivirus software, and patch management.

3. Administrative controls: These controls are designed to manage the human behavior and policies that affect information security. Examples include security policies, awareness training, access controls, background checks, and incident response plans.

It is important to note that the three categories of controls are interdependent and should be implemented in a balanced way to provide effective information security. For example, physical controls can be bypassed by exploiting technical vulnerabilities, and technical controls can be rendered ineffective by human error or inadequate policies and procedures.

Therefore, a comprehensive information security program should include a combination of physical, technical, and administrative controls to provide layered protection against potential threats and risks.