When are "management controls" used as opposed to "technical"?

canadiocanadio Member Posts: 13 ■□□□□□□□□□
When are "management controls" used as opposed to "technical"?

Comments

  • canadiocanadio Member Posts: 13 ■□□□□□□□□□
    reason for asking: the IT security textbooks seem a bit vague on this issue.
  • soccarplayer29soccarplayer29 CISSP, CISA, PMP Member Posts: 230 ■■■□□□□□□□
    Management aka Administrative controls are more manual process based. Think of those enforced through policies/procedures/SOPs/guides.

    Technical are hard coded restrictions (think RBAC).
    Certs: CISSP, CISA, PMP
  • canadiocanadio Member Posts: 13 ■□□□□□□□□□
    ok thanks.

    So employees exiting a premises via the fire exit because their swipe cards don't always work.

    What type of control is needed here?
  • BlackBeretBlackBeret Member Posts: 684 ■■■■■□□□□□
    Management control would be my answer here. Think things that are policy based. "Employees are not allowed to use the fire exit except in an emergency". You could implement a technical control to discourage it's use, such as wiring in an alarm that would sound if the door were open, but you couldn't actually prevent someone from using the fire exit via technical means without completely blocking it off.
  • canadiocanadio Member Posts: 13 ■□□□□□□□□□
    or if you have scenarios where staff are sharing passwords...would this merit a management control or a technical control?
  • soccarplayer29soccarplayer29 CISSP, CISA, PMP Member Posts: 230 ■■■□□□□□□□
    The thing restricting/prohibiting the action is the control.

    You could prevent password sharing through either a technical or management control. Technical=biometric multifactor authentication, hard token MFA, etc. Management=policy restricting this, signing rules of behavior prohibiting the sharing of passwords, etc.
    Certs: CISSP, CISA, PMP
  • canadiocanadio Member Posts: 13 ■□□□□□□□□□
    ok thanks guys.

    in the context of the Security+ exam what would most appropriate answer be
    a technical or management control?
  • BlackBeretBlackBeret Member Posts: 684 ■■■■■□□□□□
    How would you stop someone sharing passwords? Can you physically prevent it? If you wanted to use a management control you could put a policy in place, theoretically stopping it. If you wanted a technical control, you could remove Bob's fingers and tongue, preventing him from writing it down or speaking it to Lisa. Which would you use?
  • canadiocanadio Member Posts: 13 ■□□□□□□□□□
    BlackBeret wrote: »
    How would you stop someone sharing passwords? Can you physically prevent it? If you wanted to use a management control you could put a policy in place, theoretically stopping it. If you wanted a technical control, you could remove Bob's fingers and tongue, preventing him from writing it down or speaking it to Lisa. Which would you use?

    I hear ya buddy!
Sign In or Register to comment.