During audit planning, an IS auditor walked through the design of controls related to a new data loss prevention (DLP) tool.
It was noted that the tool will be configured to alert IT management when large files are sent outside of the organization via email.
What type of control will be tested?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The control being tested in this scenario is a preventive control. Preventive controls are designed to stop an undesired event from occurring. In this case, the DLP tool is being configured to prevent the loss of sensitive information by alerting IT management when large files are sent outside the organization via email. This is done in order to prevent the loss of sensitive information, as opposed to detecting or correcting it after the fact.
Detective controls, on the other hand, are designed to detect when an undesired event has occurred. Examples of detective controls include security cameras, intrusion detection systems, and log analysis tools.
Corrective controls are designed to correct an undesired event after it has occurred. Examples of corrective controls include backup and recovery procedures, system patches, and incident response plans.
Directive controls are designed to provide guidance and direction to employees on how to perform their duties. Examples of directive controls include policies, procedures, and standards.
In summary, since the DLP tool is being configured to prevent the loss of sensitive information by alerting IT management when large files are sent outside the organization via email, the control being tested is a preventive control.