📖 What is Control?
A control is a safeguard or countermeasure enacted to mitigate identified risks to organizational assets. These can be administrative (policies), technical (encryption), or physical (locks). Effective controls ensure confidentiality, integrity, and availability of information, aligning with risk management strategies.
"The CISM exam frequently tests the application of controls. Understand the differences between preventative, detective, and corrective controls, and their relative costs. Be prepared to select the *most appropriate* control given a scenario, not simply any valid control."
📚 Certification: Certified Information Security Manager (CISM)
🔑 What are the Key Concepts of Control?
- ▸ Preventative controls aim to stop incidents *before* they occur, like segregation of duties or access control lists.
- ▸ Detective controls identify incidents *as* they happen, such as intrusion detection systems or audit logs.
- ▸ Corrective controls minimize damage *after* an incident, including backups, disaster recovery, and incident response plans.
- ▸ Controls are not free; cost-benefit analysis is crucial to ensure controls are proportionate to the risk they address.
- ▸ The CISM exam emphasizes aligning controls with business objectives and the overall information security governance framework.
🎯 How does Control appear on the CISM Exam?
You may be asked to analyze a business scenario and select the *most effective* control to mitigate a specific risk, considering cost and impact.
A scenario might describe a security incident; expect questions about which type of control (preventative, detective, or corrective) would have best addressed it.
Expect questions about the role of controls within a broader risk management program, including how they are assessed and monitored for effectiveness.
❓ Frequently Asked Questions
How do I differentiate between a preventative and detective control in a real-world situation?
Think about timing. Preventative controls happen *before* a potential issue, while detective controls identify an issue *as* it's happening. For example, a firewall is preventative, while an IDS is detective.
What does 'compensating control' mean, and why is it important on the exam?
A compensating control is used when a primary control isn't feasible. It provides an alternative safeguard. The exam tests your ability to identify appropriate compensating controls when faced with constraints.
How are controls related to risk appetite?
An organization's risk appetite dictates the level of risk they're willing to accept. Controls are implemented to reduce risk to within that acceptable level. Higher risk appetite may mean fewer, less expensive controls.