An organization's security policy requires all employees to complete annual training on handling sensitive data. This training instructs employees on the correct procedures for data classification, storage, and transmission. How is this type of security control best classified?
Directive controls are designed to guide or direct the actions of individuals to comply with security policies and standards. Mandatory security awareness training, as specified by a policy, is a classic example of a directive control because it instructs employees on the required security behaviors. While training may have a preventive effect, its primary function here is to direct actions. Preventive controls are technical or physical barriers that stop an incident, like a firewall. Detective controls identify incidents after they occur, like an Intrusion Detection System (IDS). Corrective controls are used to limit the damage after an incident, such as restoring from backups.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are directive controls in cybersecurity?
Open an interactive chat with Bash
Why is user training important for handling sensitive data?