As a security professional, you are promoting security awareness, helping HR staff review recruiting processes, and implementing Intrusion detection systems to respond to security incidents and biometric-based access control. Which of the following best describes what you are doing? (Wentz QOTD)
B. Complete mediation
C. Top-down security strategy
D. Risk-based access control
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Defense-in-depth.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Defense-in-depth is an “information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.” (NIST Glossary)
- People: promoting security awareness
- Operations: helping HR staff review recruiting processes
- Technology: implementing Intrusion detection systems to respond to security incidents and biometric-based access control
Risk-based Access Control
Access control refers to “the process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).” (NIST Glossary)
There are two classes of access control approaches: traditional and dynamic. Traditional access control approaches utilize rigid and predetermined policies to determine the access decision. Alternatively, dynamic access control methods employ not only static policies but also dynamic and real-time features to make access decisions. These dynamic features can involve context, trust, history events, location, time, and security risk. Risk-based access control model is one of the dynamic methods that utilize the security risk value related to each access request as a criterion to determine access decisions.
“The principle of complete mediation requires that all accesses to objects be checked to ensure they are allowed.” (CISA)
作為一名安全專業人士，您正在提升安全意識，幫助 HR 人員審查招聘流程，並實施入侵檢測系統以應對安全事件和基於生物識別的訪問控制。 以下哪一項最能描述您正在做的事情？ (Wentz QOTD)
B. 完全調解 (complete mediation)