While preparing for an audit of information security controls in the environment, an analyst outlines a framework control that has the following requirements: -> All sensitive data must be classified.
-> All sensitive data must be purged on a quarterly basis.
-> Certificates of disposal must remain on file for at least three years.
This framework control is MOST likely classified as:
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The framework control outlined in the question has several requirements related to the handling and disposal of sensitive data. To determine the type of control, it is important to understand the different types of controls.
Prescriptive controls provide a specific set of steps or procedures that must be followed to ensure compliance with a particular security requirement. Risk-based controls, on the other hand, take a more flexible approach, allowing organizations to tailor their security measures to specific risks and threats.
Preventive controls are designed to prevent security incidents from occurring in the first place. They focus on keeping threats out and reducing the likelihood of a successful attack. Corrective controls, on the other hand, are designed to mitigate the impact of security incidents that have already occurred. They focus on containing the damage and restoring systems to a secure state.
Looking at the requirements outlined in the question, it is clear that the control is prescriptive in nature. The control specifies a set of steps that must be followed, including data classification, quarterly data purging, and retaining certificates of disposal for at least three years. These are specific requirements that must be followed to ensure compliance with the control.
Therefore, the answer is A. prescriptive.