📖 What is Detective Control?
Detective controls are measures designed to identify errors, irregularities, or security incidents *after* they have occurred. These controls do not prevent issues but provide timely notification, allowing for investigation and corrective action to mitigate potential damage or loss. Examples include log monitoring and reconciliation.
"While important, detective controls are less effective than preventive controls. The exam will test your ability to assess the limitations of detective controls and the importance of timely responses to identified issues. Understand how detective controls complement preventive and corrective controls."
📚 Certification: Certified Information Systems Auditor (CISA)
🔑 What are the Key Concepts of Detective Control?
- ▸ Detective controls rely on identifying anomalies; their effectiveness hinges on timely monitoring and analysis of logs, alerts, and reports.
- ▸ These controls are reactive, meaning they function *after* an event, unlike preventive controls which aim to stop events from happening.
- ▸ Effective detective controls require clearly defined thresholds and escalation procedures to ensure appropriate responses to detected issues.
- ▸ Detective controls are often used to validate the effectiveness of preventive controls, confirming they are functioning as intended.
- ▸ Examples include intrusion detection systems (IDS), security information and event management (SIEM) systems, and regular data reconciliations.
🎯 How does Detective Control appear on the CISA Exam?
You may be asked to evaluate a control framework and identify which controls are primarily detective in nature, versus preventive or corrective.
A scenario might describe a security breach that went undetected for an extended period – expect questions about the adequacy of existing detective controls.
Expect questions about the limitations of detective controls in mitigating risk, and how they should be combined with other control types for a robust security posture.
❓ Frequently Asked Questions
How do detective controls relate to incident response?
Detective controls are the *trigger* for incident response. They identify the event, and incident response procedures dictate the subsequent actions to contain, eradicate, and recover from the incident.
Can a control be both detective and preventive?
Rarely, but some controls have dual functionality. For example, a firewall can *prevent* unauthorized access (preventive) and *log* attempted intrusions (detective), but its primary function dictates its classification.
What’s the difference between a detective control and an audit?
Audits are periodic evaluations, while detective controls are ongoing monitoring. An audit *uses* detective control outputs (like logs) as evidence, but isn’t a continuous control itself.