Control Categories

teancum144

Page 52 (location 1301) of the Official Guide has the following figure:

• Logs is listed under "Detective" and "Technical".
• Logging is listed under "Compensating" and "Administrative".

How can logs/logging be "Technical" in once case and "Administrative" in the other?

• CCTV is listed under "Detective" and "Physical".
• CCTV is listed under "Compensating" and "Technical".

How can CCTV be "Physical" in once case and "Technical" in the other?

TheProfezzor

You are apparently mixing up the types and categories. Here's what I know:

For access control mechanisms, there are 3 basic categories. Which are:

- Administrative (Training, Background Check, Personal Security Measures)
- Technical (Passwords, Encryption, Logical Security for Assets)
- Physical (Fences, Gates, Turnstiles, CCTV, Bollards, Locks, Biometrics)

Now, within these 3 categories, there can be a number of types. Types include:

- Preventive\Preventative(Controls that prevent or keep a risk from materializing)
- Detective (Controls that detect threats)
- Corrective (Controls that correct the environment, after a risk has been materialized)
- Deterrent (Controls that deter a threat agent from exploiting a vulnerability)
- Recovery (Controls that recover after the corrective measures are not sufficient and a thorough recovery is required)
- Directive (Controls that are used to govern and direct the human resource)
- Compensating (Controls that are put in place of other controls, to somewhat mitigate risk)

Having said that, controls can be both Administrative-Preventive or Technical-Detective and so on. Now, in your case however, the image attached shows how one control can be both administrative and technical. It depends upon the context and the environment. For example:

CCTV can be both deterrent and detective. Burglars can be deterred if the CCTV is placed in clear line of sight and in view of passing commuters. It can also detect intrusions when you look into recording from the past days, in order to establish an audit trail. In this case, CCTV is "Physical and Detective". However, if an environment has a requirement for security guards but the management does not go for it since guards are an expensive control to manage, then they might decide to opt for CCTV instead. In this situation, CCTV becomes the "Compensating\Technical".

Logs are primarily a Technical\Detective control. But it can also be a Administrative\Compensating control when, they are being employed in place of anther control like an access control mechanisms. If the organization does not have the budget to implement a good access control mechanism, they can compensate that with strict logging and monitoring. Since monitoring is primarily an administrative control, this combination now becomes Administrative\Compensating.

I hope you get what I meant to say. Do let us know here, if you have further questions. I am preparing for CISSP too and would be sitting for it in a week. I like to flex my brain muscles so, what ever questions you have, shoot!

JDMurray

TheProfezzor wrote: »

Logs are primarily a Technical\Detective control. But it can also be a Administrative\Compensating control when, they are being employed in place of anther control like an access control mechanisms.

I really don't like the idea of logs being considered a compensating control. Compensating controls are also optional controls. Logging is a unique control unto itself and should never be considered optional or duplicating some other security function. Logs are Technical/Detective for troubleshooting and security and Administrative/Directive for meeting regulatory requirements.