During a recent compliance audit, an organization discovered that some customer service representatives were emailing spreadsheets that contained unmasked payment-card data. Senior management wants to reduce the risk of mishandling customer information by explicitly telling employees what is and is not permitted when processing sensitive data. Which type of control would BEST achieve this goal?
Implementing security policies and guidelines is a directive control. Directive controls set expectations and provide written or verbal guidance so employees follow mandated practices when handling sensitive information. Visible security cameras primarily discourage misconduct (physical deterrent), firewalls block or filter unwanted traffic (technical preventive), and encryption tools protect data confidentiality (also a preventive technical control). While these measures enhance security, they do not directly instruct employees on proper procedures.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are directive controls in information security?
Open an interactive chat with Bash
Why can't technical controls like firewalls or encryption replace directive controls?
Open an interactive chat with Bash
How do security policies and guidelines minimize risks associated with human error?