functional order of controls?
-
In the notes to CISSP, it says the functional order for controls should be:
- Deter
- Deny
- Detect
- Delay
Shouldn't it be:
- Deter
- Detect
- Deny
- Delay
???
-
The notes are correct. Elaborating with an example of each might help. Per (ISC)2, the functional order in which security controls should be used is as follows:
-
Deterrence - electric fencing around the entire facility
-
Denial - locked doors for the facility
-
Detection - motion detectors in the main facility
-
Delay - cable locks on all laptops
Notice how our goal is for the motion detectors not to be needed as this would mean the attacker has made it past the deter and deny phases. Not good!
-
-
Thanks Anthony. I see the reasoning behind what you are writing but I have also found equally good reasoning by many sites that say detect comes before deny.
They say "Detection is the process of identifying potential threats as early as possible. This can involve a range of technologies, such as motion sensors, video analytics, and intrusion detection systems. The goal is to detect threats before they have a chance to breach the perimeter and enter the facility or system."
Is there an official document (with a link) that states this definitively?
Thanks!
-
For this one it would appear we have to trust the official curriculum. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition and its previous editions. As far as I can tell, this functional order of controls was not pulled from a standards document.
