A CISSP can help to establish the baseline of security controls for the organisation he/she works for.
Know the two concepts of high-level security controls
MOT vs PAT
MOT = Management / Operational / Technical
PAT = Physical / Administrative / Technical
and the sub-categories
– detective (eg. cameras, motion detectors)
– preventative (eg. locks)
– corrective (ie. after crime has happened)
– common / inheritable (applied at highest level eg. firewall, SIEM / log ingestion, baseline / image)
Difference between preventative and deterrent controls (easy to confuse between the two) is:
– preventative control stops the attacker/perpetrator entirely
– deterrent control increases the risks of committing a crime but the perpetrator can still choose to do it.
For example, security guard patrols will deter perpetrators, but will not prevent them from trying to intrude.
Tailored vs Scoped vs Supplemented Controls
Tailoring = finetuning & modifying the list of security controls within a baseline to be more applicable
e.g. reducing the timeout duration
Scoping = removing baseline security controls not needed
e.g. if a system does not allow more than one person to be logged in, then concurrent session control is not needed.
Supplementation = adding environmental-specific or platform-specific details to controls