Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 61

Functional security controls implement the risk mitigation decisions that management and leadership have endorsed. The risk assessment and vulnerabilities assessment tasks have led to these decisions; now it's time to make appropriate cost-effective choices about particular controls, thus operationalizing those decisions by providing the tools, techniques, systems elements, and procedural step-by-step that the organization's workforce will need as they go about their day-to-day activities.

The organization has already made decisions about which risks to avoid (by not doing business in particular locations or by abandoning particular business processes); it's also recognized some risks must just be accepted as they are, as an unavoidable but still potential cost of doing business. Chapter 3, “Risk Identification, Monitoring, and Analysis” goes into further depth on how information risks are identified and assessed and how organizational leadership makes both strategic, big-picture risk management decisions, as well as planning for risk mitigation and making the resources available to carry out those plans. Management has also transferred what risks it can to other third parties to deal with. What's left are the risks that you and the rest of your organization's security professionals must deal with. You deal with risk using five basic types of controls: deterrent, preventative, detective, corrective, and compensating. Note that there are no hard and fast boundary lines between these types—a fence around the property both deters and prevents attackers from attempting to cross the fence line, while a network intrusion prevention system both detects and attempts to block (or prevent) intrusions on your networks.

Note that this section focuses on security controls, which are of course a subset of the larger problem of risk mitigation. From a security controls perspective, you think about these controls as interfering with a human attacker (or their software and hardware minions) who is carrying out an unauthorized intrusion into your information systems or causing damage or disruption to those systems.

Let's take a closer look at each type of control and then examine common issues involved with their implementation, maintenance, and operational use.