The policy is a directive control because it provides written guidance that instructs users on the required behavior (how to create passwords) to meet the organization's security expectations. Preventive controls stop incidents from occurring (for example, a firewall), deterrent controls discourage attacks (for example, posted warning signs), and detective controls identify incidents after they happen (for example, log analysis). The password-complexity statement does not directly block or detect attacks; it directs users, so it is classified as a directive control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a directive control in cybersecurity?
Open an interactive chat with Bash
How does a directive control differ from a preventive control?
Open an interactive chat with Bash
Why wouldn't password complexity requirements be considered a preventive control?