Question

In Chapter 7, we discussed the differences between preventive, detective, and corrective controls. Chapters 8-10 offer specific types of controls within those categories over information security, confidentiality, privacy, processing integrity, and availability.

Think about controls that you have encountered in your own life (personal, professional, within organizational memberships, etc.). Note that at the time, you may or may not have realized that the answer to “why is this done?” was that a control was being implemented: a control over operations, reporting, and/or compliance.

1. Provide a specific example of a preventive control that you have encountered. Describe what it was and its purpose (i.e., describe the specific organizational objective within one of the three categories that it was implemented to protect – note the category and describe in the context of the situation). As part of the description, note whether it was a control over information security, confidentiality, privacy, processing integrity, availability and/or something else. Explain.

Answer 1

Yes, generally speaking there are two types: preventive and detective controls. Both types of controls are essential to an effective internal control system. From a quality standpoint, preventive controls are essential because they are proactive and emphasize quality. However, detective controls play a critical role by providing evidence that the preventive controls are functioning as intended.

Preventive Controls are designed to discourage errors or irregularities from occurring. They are proactive controls that help to ensure departmental objectives are being met. Examples of preventive controls are:

Segregation of Duties: Duties are segregated among different people to
reduce the risk of error or inappropriate action. Normally, responsibilities for authorizing transactions (approval), recording transactions (accounting) and handling the related asset (custody) are divided.Approvals, Authorizations, and Verifications: Management authorizes employees to perform certain activities and to execute certain transactions within limited parameters. In addition, management specifies those activities or transactions that need supervisory approval before they are performed or executed by employees. A supervisor’s approval (manual or electronic) implies that he or she has verified and validated that the activity or transaction conforms to established policies and procedures.Security of Assets (Preventive and Detective): Access to equipment, inventories, securities, cash and other assets is restricted; assets are periodically counted and compared to amounts shown on control records.

Preventive control Is falls in category of integrity :
Integrity is concerned with the trustworthiness, origin, completeness, and correctness
of information as well as the prevention of improper or unauthorized modification of
information. Integrity in the information security context refers not only to integrity
of information itself but also to the origin integrity—that is, integrity of the source
of information. Integrity protection mechanisms may be grouped into two broad
types: preventive mechanisms, such as access controls that prevent unauthorized
modification of information, and detective mechanisms, which are intended to detect
unauthorized modifications when preventive mechanisms have failed. Controls that
protect integrity include principles of least privilege, separation, and rotation of duties