Exam SY0-501 topic 1 question 746 discussion

I agree with Supreem. Answer C would would match the definition of a compensating control, rather than a preventive control. For a "preventive control" I think it's much better the definition in answer D.

shoudnt it be D? To prevent is to mitigate the risk?

Answer is D: "Preventative controls are designed to be implemented prior to a threat event and reduce and/or avoid the likelihood and potential impact of a successful threat event. Examples of preventative controls include policies, standards, processes, procedures, encryption, firewalls, and physical barriers." https://www.sciencedirect.com/topics/computer-science/preventative-control

Preventative Controls Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in the control-s implementation. Source: https://www.briefmenow.org/isaca/cisa-part-which-of-the-following-is-not-an-example-of-preventive-control/

Provided answer is correct. The question asks the difference. Preventive controls fill the gaps. Compensating controls also mitigate the attacks: Compensating control is a security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.

Preventive controls attempt to prevent security incidents. Hardening systems increases their basic configuration to prevent incidents. Security guards can prevent unauthorized personnel from entering a secure area. Change management processes help prevent outages from configuration changes. An account disablement policy ensures that accounts are disabled when a user leaves the organization. CompTIA Security+ Get Certified Get Ahead SY0-501 Study Guide Darril Gibson – pg. 126

Both Compensating and Corrective are designed to mitigate risk one by preventing, another by adding a layer where others can't reach. I believe here A and D could be the only answer and honestly I believe A could be the one since if user lacks control, preventative controls will stop any action which shouldn't be allowed in the first place.

my advice whatever Duranio says go with it

If duranio says it's D, the answer is D!!!

Moderators, anything worth doing at all is worth doing well. If your intention is to help people pass their exams, please do it well by providing the correct answers. Posterity will thank you for it. Please, we are begging you all

-- Preventive—the control physically or logically restricts unauthorized access. A directive can be thought of as an administrative version of a preventive control. -- Compensating—the control does not prevent the attack but restores the function of the system through some other means, such as using data backup or an alternative site.

Doesn't C fall under Compensating control, as current controls are already in place. Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the required controls, there may exist other technology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk