Password Management: Control Category and Best Practices

Password Management

Prev Question Next Question

Question

Password management falls into which control category?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C.

Password management is an example of preventive control.

Proper passwords prevent unauthorized users from accessing a system.

There are literally hundreds of different access approaches, control methods, and technologies, both in the physical world and in the virtual electronic world.

Each method addresses a different type of access control or a specific access need.

For example, access control solutions may incorporate identification and authentication mechanisms, filters, rules, rights, logging and monitoring, policy, and a plethora of other controls.

However, despite the diversity of access control methods, all access control systems can be categorized into seven primary categories.

The seven main categories of access control are: 1

Directive: Controls designed to specify acceptable rules of behavior within an organization 2

Deterrent: Controls designed to discourage people from violating security directives 3

Preventive: Controls implemented to prevent a security incident or information breach 4

Compensating: Controls implemented to substitute for the loss of primary controls and mitigate risk down to an acceptable level 5

Detective: Controls designed to signal a warning when a security control has been breached 6

Corrective: Controls implemented to remedy circumstance, mitigate damage, or restore controls 7

Recovery: Controls implemented to restore conditions to normal after a security incident Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21)

Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1156-1176)

Auerbach Publications.

Kindle Edition.

Password management falls into the preventive control category.

Preventive controls are designed to prevent or deter unauthorized access to resources, such as systems, applications, or data. Password management is a key preventive control used to secure access to systems and applications by enforcing strong passwords, regular password changes, and other policies that help ensure only authorized individuals can gain access to sensitive information.

Good password management includes implementing a strong password policy, providing training to employees on how to create and manage strong passwords, and regularly auditing password usage to ensure compliance with established policies.

In contrast, detective controls are used to identify and respond to security incidents after they occur, while compensating controls are used to mitigate the risk of a security breach when preventive and detective controls are not enough.

Technical controls are those that are implemented through technology, such as access control lists, firewalls, and intrusion detection systems. Password management can be considered a technical control in the sense that it often involves the use of technology, such as password management software or two-factor authentication, to enforce password policies and secure access to resources. However, password management is primarily a preventive control, as it is used to prevent unauthorized access to resources rather than detect or compensate for breaches that have already occurred.