Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 86

Although it seems a bit of an oversimplification to do so, you can characterize the world of information security controls (also known as risk mitigation controls) by their mix of physical, technical (or logical), and administrative elements. For example, a perimeter fence is both a physical investment in a control technology and its accompanying procedures for a periodic inspection, including “walking the fence line” by the security patrols and repairing damage by Mother Nature, vandals, or intrusion attempts. Technical or logical controls are the software and data settings, the jumper plugs or control switches, or other device or system configuration features that administrators use to get the software and hardware to implement a security control decision. Windows-based systems, for example, use software-defined data structures called group policy objects (GPOs) that apply logical rules to subjects and objects in the system to exert security control over their behavior. Most network devices are logically configured by interacting with their GUI, a built-in web page, or a command-line interpreter, to accomplish the technical configuration of that device so that it does its part in carrying out the organization's security policies.

NOTE It's helpful to remember that a physical control interacts physically with the subject or object being controlled; technical and logical controls interact with data flows and signals being sent around the system as ways to control the logical behavior of software and hardware.

Chapter 3 will focus on how you choose what mix of physical, logical, and administrative controls to build into your security architecture; here, we'll focus on them after you've installed them and declared them operational.

Regardless of the type of control elements involved, compliance can be measured or assessed by the same set of techniques: review, audit, exercise, and operational evaluation. Help-desk trouble tickets, user complaints or suggestions, the “police blotter” or daily logs kept by your security teams, and many other sources of information should all be subject to review and audit. Performance metrics can also be adopted (preferably in automated ways) that can alert management when controls are not being used effectively, as indicated by increasing rates of incidents, error rates, problem reports, and end-user dissatisfaction with system usability and reliability. Don't forget to keep an eye on customer or client behavior and input: A decline in orders, transactions, or web page hits may be as much about the quality and price of your products as it is about the security (or lack thereof) of your information systems and practices, as seen by your customers.