The system administrator has deployed updated security controls for the network to limit risk of
attack. The security manager is concerned that controls continue to function as intended to
maintain appropriate security posture.
Which of the following risk mitigation strategies is MOST important to the security manager?
A.
User permissions
B.
Policy enforcement
C.
Routine audits
D.
Change management
Routine audits are more of a management control function than a risk mitigation strategy. They are a part of a risk mitigation strategy, but to my way of thinking not a risk mitigation strategy in and of itself.
0
0
One of these poorly drafted questions.:
Who: “The system administrator”
What: “has deployed updated security controls”.
Where?: “In the network”
Why?: “to limit risk of attack.”
So far so good.. Then comes the security manager who wants to ensure that the above security controls remain in place from now on.
First , for a full definition:
Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.
They can be classified by several criteria. For example, according to the time that they act, relative to a security incident:
• Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders;
• During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police;
• After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible.
According to their nature, for example:
• Physical controls e.g. fences, doors, locks and fire extinguishers;
• Procedural controls e.g. incident response processes, management oversight, security awareness and training;
• Technical controls e.g. user authentication (login) and logical access controls, antivirus software, firewalls;
• Legal and regulatory or compliance controls e.g. privacy laws, policies and clauses.
So “deploying security controls in the network in this case were:
1) Preventitive as far as classification is concerneed and
2) Either “procedural” or “technical” as far as nature is concerned.
This is where it becomes tricky as we do not know whether the security controls are Procedural or technical.
If it is procedural, than nothing has been chnaged in our systems, then hwo this is going to limit the risk of attack.
If technical changes were implemented, then something indeed was changed, which falls under the area of “Change Management”
So which one is it?
Looking at all the answers, they fall on the “procedural” category.
So we have:
A– User permissions. This is not a procedural activity, rather a technical one
C– Routine audits- I agree with Marcus. Routine audits are more of a management control function than a risk mitigation strategy
D– Change management: This speaks of actual technical changes, hence not a procedural activity
So to my mind, “Preventitive” “Procedural Controls” were performed, and the best way to maintain them is through a rigid “B– Policy enforcement”
0
0