Which of the following is not a preventive operational control?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
Conducting security awareness and technical training to ensure that end users and system users are aware of the rules of behaviour and their responsibilities in protecting the organization's mission is an example of a preventive management control, therefore not an operational control.
Source: STONEBURNER, Gary et al., NIST Special publication 800-30, Risk management Guide for Information Technology Systems, 2001 (page 37).
Preventive operational controls are measures that are put in place to stop a security incident from occurring in the first place. Of the options listed, three of them are examples of preventive operational controls, while one is not.
A. Protecting laptops, personal computers, and workstations is a preventive operational control. This could include implementing password-protected screensavers, installing anti-virus software, or setting up firewalls.
B. Controlling software viruses is also a preventive operational control. This might involve regularly updating anti-virus software, scanning for viruses, or restricting access to certain websites or downloads.
C. Controlling data media access and disposal is another preventive operational control. This might include securely disposing of old hard drives, encrypting data on removable media, or restricting access to sensitive data.
D. Conducting security awareness and technical training is not a preventive operational control. Instead, it is an example of a detective or corrective control. Security awareness and training can help employees identify potential security risks and respond appropriately, but it does not prevent the risks from occurring in the first place.
In summary, the answer to the question is D. Conducting security awareness and technical training is not a preventive operational control. The other options are all examples of preventive operational controls.