search

Which of the following best describes the difference between access controls and application controls?

1 Jahrs vor
Kommentare: 0
Ansichten: 190

  • F5 Labs
  • Learning Center

An overview of the types of countermeasures security practitioners use to reduce risk.

Show

August 22, 2019

3 min. read

Introduction

F5 Labs education articles help you understand basic threat-related security topics. 

At the most fundamental level, IT security is about protecting things that are of value to an organization. That generally includes people, property, and data—in other words, the organization’s assets.

Security controls exist to reduce or mitigate the risk to those assets. They include any type of policy, procedure, technique, method, solution, plan, action, or device designed to help accomplish that goal. Recognizable examples include firewalls, surveillance systems, and antivirus software.

Control Objectives First…

Security controls are not chosen or implemented arbitrarily. They typically flow out of an organization’s risk management process, which begins with defining the overall IT security strategy, then goals. This is followed by defining specific control objectives—statements about how the organization plans to effectively manage risk. For example, “Our controls provide reasonable assurance that physical and logical access to databases and data records is restricted to authorized users” is a control objective. “Our controls provide reasonable assurance that critical systems and infrastructure are available and fully functional as scheduled” is another example.

…Then Security Controls

Once an organization defines control objectives, it can assess the risk to individual assets and then choose the most appropriate security controls to put in place. One of the easiest and most straightforward models for classifying controls is by type: physical, technical, or administrative, and by function: preventative, detective, and corrective.

Control Types

Physical controls describe anything tangible that’s used to prevent or detect unauthorized access to physical areas, systems, or assets. This includes things like fences, gates, guards, security badges and access cards, biometric access controls, security lighting, CCTVs, surveillance cameras, motion sensors, fire suppression, as well as environmental controls like HVAC and humidity controls.

Technical controls (also known as logical controls) include hardware or software mechanisms used to protect assets. Some common examples are authentication solutions, firewalls, antivirus software, intrusion detection systems (IDSs), intrusion protection systems (IPSs), constrained interfaces, as well as access control lists (ACLs) and encryption measures.

Administrative controls refer to policies, procedures, or guidelines that define personnel or business practices in accordance with the organization's security goals. These can apply to employee hiring and termination, equipment and Internet usage, physical access to facilities, separation of duties, data classification, and auditing. Security awareness training for employees also falls under the umbrella of administrative controls.

Control Functions

Preventative controls describe any security measure that’s designed to stop unwanted or unauthorized activity from occurring. Examples include physical controls such as fences, locks, and alarm systems; technical controls such as antivirus software, firewalls, and IPSs; and administrative controls like separation of duties, data classification, and auditing.

Detective controls describe any security measure taken or solution that’s implemented to detect and alert to unwanted or unauthorized activity in progress or after it has occurred. Physical examples include alarms or notifications from physical sensor (door alarms, fire alarms) that alert guards, police, or system administrators. Honeypots and IDSs are examples of technical detective controls.

Corrective controls include any measures taken to repair damage or restore resources and capabilities to their prior state following an unauthorized or unwanted activity. Examples of technical corrective controls include patching a system, quarantining a virus, terminating a process, or rebooting a system. Putting an incident response plan into action is an example of an administrative corrective control.

The table below shows how just a few of the examples mentioned above would be classified by control type and control function.

 CONTROL FUNCTIONS
Preventative Detective Corrective
CONTROL TYPES Physical Fences, gates, locks CCTV and surveillance camera logs Repair physical damage, re-issue access cards
Technical Firewall, IPS, MFA solution, antivirus software Intrusion detection systems, honeypots Patch a system, terminate a process, reboot a system, quarantine a virus
Administrative Hiring and termination policies, separation of duties, data classification Review access rights, audit logs, and unauthorized changes Implement a business continuity plan or incident response plan

F5 Labs Security Controls Guidance

To provide threat intelligence that’s actionable, F5 Labs threat-related content, where applicable, concludes with recommended security controls as shown in the following example. These are written in the form of action statements and are labeled with control type and control function icons. They’re meant to be a quick, at-a-glance reference for mitigation strategies discussed in more detail in each article.

Which of the following best describes the difference between access controls and application controls?

Security practitioners implement a combination of security controls based on stated control objectives tailored to the organization’s needs and regulatory requirements. Ultimately, the goal of both control objectives and controls is to uphold the three foundational principles of security: confidentiality, integrity, and availability, also known as the CIA Triad.

Debbie Walkowski (Author)

More from Learning Center

What is the difference between application control and general control?

On the whole, general controls apply to all computerized applications and consist of a combination of hardware, software, and manual procedures that create an overall control environment. Application controls are specific controls unique to each computerized application, such as payroll or order processing.

What is the definition of application controls?

Application control is a security practice that blocks or restricts unauthorized applications from executing in ways that put data at risk.

What is an example of an application control?

An example of an application control is the validity check, which reviews the data entered into a data entry screen to ensure that it meets a set of predetermined range criteria. Or, a completeness check will examine a data entry screen to see if all fields have an entry.

Which of the following best describes the difference between primary and foreign key?

A primary key is used to ensure data in the specific column is unique. A foreign key is a column or group of columns in a relational database table that provides a link between data in two tables. It uniquely identifies a record in the relational database table.

describes difference access controls application controls

zusammenhängende Posts

Which of the following best describes the function of Windows hello for business?
Which of the following best describes the function of Windows hello for business?

Which of the following describes psychosocial development occurring during the adolescent stage of development quizlet?
Which of the following describes psychosocial development occurring during the adolescent stage of development quizlet?

THE term for the concept that describes the ways in which places are connected is
THE term for the concept that describes the ways in which places are connected is

Which of the following statements describes the medias role in the regulation of advertising?
Which of the following statements describes the medias role in the regulation of advertising?

Which phrase best describes the occupational safety and health administration (osha) quizlet
Which phrase best describes the occupational safety and health administration (osha) quizlet

Which statement describes the purpose of a Community Emergency Response Team quizlet?
Which statement describes the purpose of a Community Emergency Response Team quizlet?

The nurse understands that which statement describes a person who is mentally ill
The nurse understands that which statement describes a person who is mentally ill

Which of the following describes the tension that surrounded Nullification Quizlet
Which of the following describes the tension that surrounded Nullification Quizlet

Which of the following describes the main difference between meiosis and mitosis?
Which of the following describes the main difference between meiosis and mitosis?

It describes your respondents: who they are, what their profile is, where they are from, etc.
It describes your respondents: who they are, what their profile is, where they are from, etc.

Werbung

NEUESTEN NACHRICHTEN

What delivers applications over the cloud using a pay-per-use revenue model?
1 Jahrs vor . durch AsceticTranslation
What processes convert data into information and information into knowledge?
1 Jahrs vor . durch CorruptSolicitation
Fuß umgeknickt keine Schwellung aber Schmerzen was tun
1 Jahrs vor . durch TraceableMeasurement
What can decrease the effectiveness of an mbo (management by objectives) system?
1 Jahrs vor . durch HomesickDumps
Wie viel kostet ein normales Ohrloch stechen?
1 Jahrs vor . durch PitchedContents
Ein Colt für alle Fälle Klingelton Android
1 Jahrs vor . durch MonumentalShaving
Gemeinschaft entwässerung wer ist für zuständig
1 Jahrs vor . durch BarbaricCorrelation
Was ist der unterschied zwischen einem boot und einem schiff
1 Jahrs vor . durch HelluvaNuisance
Wann geht es weiter mit Outpost?
1 Jahrs vor . durch TumblingVariation
Wer ist bei lets danz faisal
1 Jahrs vor . durch SkilledStoryteller

Werbung

Populer

Werbung

Um

Legal

Hilfe

Sozial

homeendefrkoptzhitthjphi
Urheberrechte © © 2024 nguoilontuoi Inc.