Which of the following would best classify as a management control?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
Management controls focus on the management of the IT security system and the management of risk for a system.
They are techniques and concerns that are normally addressed by management.
Routine evaluations and response to identified vulnerabilities are important elements of managing the risk of a system, thus considered management controls.
SECURITY CONTROLS: The management, operational, and technical controls (i.e.,safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
SECURITY CONTROL BASELINE: The set of minimum security controls defined for a low-impact, moderate-impact,or high-impact information system.
The following are incorrect answers: Personnel security, physical and environmental protection and documentation are forms of operational controls.
Reference(s) used for this question: http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf and FIPS PUB 200 at http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf.
A management control is a process or procedure put in place to ensure that organizational objectives are achieved efficiently and effectively. It provides a framework for decision-making, sets policies and procedures, and helps to monitor and measure performance.
Out of the given options, the best example of a management control is option A, "Review of security controls". A review of security controls is a management control because it is a systematic process used to evaluate the effectiveness of security measures in place. By conducting regular reviews, management can determine if the security controls are functioning as intended and if they are meeting the organization's security goals. This allows management to make informed decisions about adjustments to the security measures.
Option B, "Personnel security", is not a management control as it is a specific security measure designed to ensure that employees and other authorized individuals have the appropriate clearance, background checks, and training to access sensitive information or systems. Personnel security is a component of overall security but does not provide a framework for decision-making or monitoring performance.
Option C, "Physical and environmental protection", is not a management control as it refers to the physical security measures put in place to protect an organization's assets, including buildings, equipment, and data centers. While important, physical and environmental protection measures do not provide a framework for decision-making or monitoring performance.
Option D, "Documentation", is not a management control as it refers to the creation and management of documentation related to security policies, procedures, and controls. While important, documentation does not provide a framework for decision-making or monitoring performance. It is instead a necessary component of many management controls, including reviews of security controls.
Therefore, the best example of a management control out of the given options is "Review of security controls" (option A).