Distinguish between preventive and mitigative controls with examples.

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $25.99Unlock all

Prepare for the Risk Management Temple Exam 2. Study with interactive quizzes, flashcards, and detailed explanations for each question. Boost your readiness and confidence for the exam!

Multiple Choice

Distinguish between preventive and mitigative controls with examples.

Explanation:
The idea being tested is the difference between stopping a risk before it materializes and limiting damage after a risk has already materialized. Preventive controls are built to stop threats from happening in the first place. They target reducing the probability that a vulnerability is exploited, so you’re preventing the incident rather than reacting to it. Examples include enforcing strong authentication, applying access controls, input validation, secure coding practices, and physical security measures. These act upstream, aiming to keep events from occurring. Mitigative controls, on the other hand, come into play once a threat has already materialized or an incident is underway. They don’t prevent the event from happening, but they reduce the impact, severity, or likelihood of a recurrence. This category covers things like backups and disaster recovery plans, incident response procedures, containment actions, redundancy and failover capabilities, and business continuity measures. They work to limit damage and speed recovery after the fact. So, the correct framing is that preventive controls stop risk before it occurs, while mitigative controls reduce the consequences after risk has occurred. The other options mix up the timing or scope (for example, suggesting preventive controls come after an event, or that both terms refer to the same concept, or that one is strictly physical while the other is strictly digital).

The idea being tested is the difference between stopping a risk before it materializes and limiting damage after a risk has already materialized. Preventive controls are built to stop threats from happening in the first place. They target reducing the probability that a vulnerability is exploited, so you’re preventing the incident rather than reacting to it. Examples include enforcing strong authentication, applying access controls, input validation, secure coding practices, and physical security measures. These act upstream, aiming to keep events from occurring.

Mitigative controls, on the other hand, come into play once a threat has already materialized or an incident is underway. They don’t prevent the event from happening, but they reduce the impact, severity, or likelihood of a recurrence. This category covers things like backups and disaster recovery plans, incident response procedures, containment actions, redundancy and failover capabilities, and business continuity measures. They work to limit damage and speed recovery after the fact.

So, the correct framing is that preventive controls stop risk before it occurs, while mitigative controls reduce the consequences after risk has occurred. The other options mix up the timing or scope (for example, suggesting preventive controls come after an event, or that both terms refer to the same concept, or that one is strictly physical while the other is strictly digital).

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy