Risk mitigation and risk reduction controls for providing information security are classified within three main categories, which of the following are being used?
Correct Answer: C
Explanation/Reference:
Explanation:
Controls are put into place to reduce the risk an organization faces, and they come in three main flavors:
administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in firewalls, IDS, encryption, identification and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting.
Incorrect Answers:
A: Neither preventive nor corrective are one of the three main categories of risk reduction controls.
B: Neither detective nor corrective are one of the three main categories of risk reduction controls.
D: Operational is not one of the three main categories of risk reduction controls.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 26