Identify Possible Controls ( For Residual Risk) 

   Residual risk is the risk that remains to the information asset even after the existing control has been applied.

   Three general categories of controls 

·         Policies 

·         Programs 

·         Technologies

3 Policies 

·         General Security Policy 

·         Program Security Policy 

·         Issue Specific Policy 

·         Systems Specific Policy

4 Programs 

-             Education 

-             Training 

-             Awareness 

-             Security Technologies

Access Controls 

-             Specially addresses admission of a user into a trusted area of the organization.

-             Eg:  Computer rooms, Power Rooms.

-             Combination of policies , Programs, & Technologies

Types of Access controls 

Mandatory Access Controls (MACs) 

Give users and data owners limited control over access to information resources. 

 Nondiscretionary Controls

   Managed by a central authority in the organization; can be based on individual’s role (role-based controls) or a specified set of assigned tasks (task-based controls)

 Discretionary Access Controls ( DAC)

Implemented at discretion or option of the data user Lattice-based Access Cont

Variation of MAC - users are assigned matrix of authorizations for particular areas of access.