Answer-first summary for fast verification
Answer: An employee training program that explains the policies and procedures for reviewing new account applications
**A is correct.** Internal training programs are examples of directive controls. Directive controls describe all the policies, procedures, and rules to help execute a process as well as mitigate the risk of that process. **B is incorrect.** This is a detective control. **C is incorrect.** This could be either a preventive control, if the update was implemented in the absence of any cyber risk incident, or a corrective control if it was performed in response to an incident. **D is incorrect.** This is an example of an access control, which is a preventive control.
Author: LeetQuiz .
Ultimate access to all questions.
An operational risk manager at a large retail bank is asked to review the framework for the bank's risk mitigation controls. As part of this review, the manager classifies the risk controls as preventive, detective, corrective, or directive. Which of the following should the manager classify as a directive control?
A
An employee training program that explains the policies and procedures for reviewing new account applications
B
A notification to a credit card customer about a potentially fraudulent transaction on that customer's account
C
An implementation of an antivirus software update across all of the bank's IT systems
D
A dual-factor authentication protocol that is used to control access to critical business systems
No comments yet.