> denbesten (Community Champion) posted a new topic in Industry News on 10-01-2019
> Interesting story of a control saving the day (or at least $724).
OK, I don't trigger on beers, but, as the inventor of the controls matrix, you had
me at "control."
> A customer
> had his credit card pre-configured to send alerts to his phone. He orders two
> beers. An employee skims his card. The customer is alerted to a $724
> charge, complains to the supervisor, and the employee is arrested. From a
> CISSP perspective, is this: A) an audit control, B) a detective control, C) a
> preventative control, D) a remediation control, or E) a mitigation control?
> ---- stop ----- think ---- answer ---- proceed
And, in terms of posing this as a question, I am definitely looking at how well it
works as an actual exam question. (First point: questions have four options, not
five.)
> A) Audit control is not really
> a thing, although it does bring to mind the concept of "Internal Controls", of
> which there are two types - preventative and detective.
OK, you are hung up on vocabulary, here. While the jargon is, often, important,
there are many questions that deliberately do *not* use specific terms, in order to
determine whether you have the concepts down. True, audit does not appear on
either the mil/gov or the business list of controls. But audit is a specialized case of
detective control (from the mil/gov list) and also comes under administrative
(from the business list).
Audit is *not* preventive (not preventative) unless coupled with a specifically
preventive reaction in real time.
> B) The control in this
> case is the charge-alert, which is a detective control because it was designed
> to find the problem after it occurred.
Correct.
> C) A preventative control keeps the
> problem from happening in the first place. Although the control was set up in
> advance, that does not inherently make it a preventative control. An example of
> a preventative control would be the use of customer-facing terminals because the
> employee would no longer have the opportunity to skim.
Again, customer-facing terminals are not preventive: not unless you can guarantee
that the customer (read "user") would actually pay attention, undertand what was
being displayed, and react appropriately to an overcharge. Customer-facing
terminals would simply be another detective control.
> D) In and of itself,
> remediation is not a "control". Remediation is repairing damage identified by a
> control. In this case, remediation was reversing the charge and comping the
> beers.
"Remediation" is another word for "corrective" which *is* on the mil/gov list.
> E) Again, mitigation is not a control. Mitigation is minimizing risk.
> In this case, mitigation was the customer signing up for charge alerts.
> Although mitigation often involves implementing either a detective or
> preventative control, mitigation refers to the implementation, not to the
> control being triggered.
True, I'd have a bit of trouble with mitigation as a specific contol, but it comes
close to "compensating" or "preventive" on the mil/gov list.
> Best Answer: B
Overall, I'd agree, but I think you need to work on the question a bit before you
submit it to the exam committee.
====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
There is only one thing more painful than learning from
experience, and that is not learning from experience.
- Archibald McLeish
victoria.tc.ca/techrev/rms.htm
http://twitter.com/rsladehttp://blogs.securiteam.com/index.php/archives/author/p1/https://is.gd/RotlWB
............
Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
