Security policies are indeed directive controls as they direct, guide, and influence the actions of employees within an organization. They lay down rules and guidelines that employees should follow, such as acceptable use policies, to ensure compliance with the organization's security posture.