CISSP考试指南笔记：5.8 物理/逻辑访问的控制

Access Control Layers

Administrative controls:

• Policy and procedures
• Personnel controls
• Supervisory structure
• Security-awareness training
• Testing

Physical controls:

• Network segregation
• Perimeter security
• Computer controls
• Work area separation
• Data backups
• Cabling
• Control zone

Technical controls:

• System access
• Network architecture
• Network access
• Encryption and protocols
• Auditing

Administrative Controls

The first piece to building a security foundation within an organization is a security policy. It is management’s responsibility to construct a security policy and delegate the development of the supporting procedures, standards, and guidelines; indicate which personnel controls should be used; and specify how testing should be carried out to ensure all pieces fulfill the company’s security goals. These items are administrative controls and work at the top layer of a hierarchical access control model.

Personnel Controls

Personnel controls indicate how employees are expected to interact with security mechanisms and address noncompliance issues pertaining to these expectations.

Supervisory Structure

Management must construct a supervisory structure in which each employee has a superior to report to, and that superior is responsible for that employee’s actions.

Security-Awareness Training

A company’s security depends upon technology and people, and people are usually the weakest link and cause the most security breaches and compromises.

Testing

All security controls, mechanisms, and procedures must be tested on a periodic basis to ensure they properly support the security policy, goals, and objectives set for them.

剩余内容请看本人公众号debugeeker, 链接为CISSP考试指南笔记：5.8 物理/逻辑访问的控制