When are "management controls" used as opposed to "technical"?

canadio

Find more posts tagged with

Comments

canadio

reason for asking: the IT security textbooks seem a bit vague on this issue.

soccarplayer29

Management aka Administrative controls are more manual process based. Think of those enforced through policies/procedures/SOPs/guides.

Technical are hard coded restrictions (think RBAC).

canadio

ok thanks.

So employees exiting a premises via the fire exit because their swipe cards don't always work.

What type of control is needed here?

BlackBeret

Management control would be my answer here. Think things that are policy based. "Employees are not allowed to use the fire exit except in an emergency". You could implement a technical control to discourage it's use, such as wiring in an alarm that would sound if the door were open, but you couldn't actually prevent someone from using the fire exit via technical means without completely blocking it off.

canadio

or if you have scenarios where staff are sharing passwords...would this merit a management control or a technical control?

soccarplayer29

The thing restricting/prohibiting the action is the control.

You could prevent password sharing through either a technical or management control. Technical=biometric multifactor authentication, hard token MFA, etc. Management=policy restricting this, signing rules of behavior prohibiting the sharing of passwords, etc.

canadio

ok thanks guys.

in the context of the Security+ exam what would most appropriate answer be
a technical or management control?

BlackBeret

How would you stop someone sharing passwords? Can you physically prevent it? If you wanted to use a management control you could put a policy in place, theoretically stopping it. If you wanted a technical control, you could remove Bob's fingers and tongue, preventing him from writing it down or speaking it to Lisa. Which would you use?

canadio

BlackBeret wrote: »

How would you stop someone sharing passwords? Can you physically prevent it? If you wanted to use a management control you could put a policy in place, theoretically stopping it. If you wanted a technical control, you could remove Bob's fingers and tongue, preventing him from writing it down or speaking it to Lisa. Which would you use?

I hear ya buddy!