Exam CISA topic 1 question 1743 discussion

A directive control is a type of control that establishes policies, procedures, and guidelines to direct the behavior of individuals within an organization. In this case, the implementation of a policy requiring minimum security control baselines for configuring servers or systems falls under directive controls as it sets the expectations and requirements for security practices within the organization. This conclusion is supported by the understanding that directive controls are designed to guide actions and decisions, which aligns with the nature of establishing security policies.

C. Preventive. Preventive controls are designed to prevent security incidents by establishing standards and baselines that must be followed. By requiring minimum security control baselines when configuring servers or systems, the organization is proactively reducing the risk of security vulnerabilities and ensuring that systems are configured securely from the outset. Option B, "Directive," refers to controls that provide guidance or instructions on how to act. While requiring minimum security control baselines does provide guidance, the primary purpose of this policy is to prevent security incidents by ensuring that systems are configured securely from the start. Therefore, it is best categorized as a preventive control. Directive controls are more about setting policies, procedures, and guidelines to direct behaviour, whereas preventive controls are specifically aimed at stopping unwanted events from occurring.

B. Directive A directive control is one that sets policies or guidelines that direct behavior, ensuring that certain actions or standards are followed. In this case, the policy to require minimum security control baselines when configuring servers or systems is a directive control because it establishes mandatory security configurations that must be followed.

this is b