Exam SY0-601 topic 1 question 836 discussion

Preventative and Technical

Why its not Managerial: "Managerial controls involve policies, procedures, and guidelines established by management to guide the organization's operations and activities. While managerial controls play a role in implementing and enforcing security measures, they are not specifically related to MFA or patch management in this context."

E & F -- The CertMaster learn book defines Managerial as this: Managerial—the control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls. And it defines Technical as this: the control is implemented as a system (hardware, software, or firmware). For example, firewalls, antivirus software, and OS access control models are technical controls.

"describe the control type and category." Which, to me, means two different buckets. You have the "type" = Technical and the "category" = X. From looking at charts, I think preventative is the best fit. https://www.infosectrain.com/blog/types-of-security-controls/

D. Administrative: Both MFA and patch management involve administrative controls as they are implemented through policies, procedures, and governance structures established by management to manage security risks and ensure compliance with security requirements. E. Preventative: Both MFA and patch management are preventative controls. MFA helps prevent unauthorized access to systems and data by requiring multiple forms of authentication, while patch management helps prevent security incidents by proactively addressing known vulnerabilities and weaknesses in software and systems before they can be exploited by attackers.

"Patch management is an administrator's control over operating system (OS), platform, or application updates." RedHat

MFA (Multi-Factor Authentication) is an administrative control because it involves policies, procedures, and guidelines governing user authentication. Patch management is a preventative control as it aims to prevent security vulnerabilities by ensuring that systems are up to date with the latest patches and updates.

Preventative - both MFA and patching prevent an incident Technical - they are both implementations. Administrative/managerial would be a policy.

MFA - Technical Keeping system patched> Hardening> Preventive Darril Gibson 601 Study Guide

Its definitely E. The question is whether its B, D and D. Some controls overlap with others so you can justify them all imo. I hate CompTIA.

The implementation of Multi-Factor Authentication (MFA) and patch management involves controls that fall under different types and categories. Here are the control types and categories for each: Multi-Factor Authentication (MFA): Control Type: Technical Category: Preventative Explanation: MFA is a technical control that falls under the preventative category. It prevents unauthorized access by requiring users to provide multiple forms of identification before accessing a system or resource. Patch Management: Control Type: Administrative Category: Preventative Explanation: Patch management is an administrative control that falls under the preventative category. It involves the process of planning, testing, and applying patches to systems and software to prevent vulnerabilities from being exploited. So, the correct options are: F. Technical (for MFA) D. Administrative (for patch management)

B. Managerial E. Preventative

https://www.f5.com/labs/learning-center/what-are-security-controls

B & E Why B? Via Nist: Organizations typically exercise managerial, operational, and financial control over their information systems and the security provided to those systems, including the authority and capability to implement or require security controls deemed necessary to protect organizational operations and assets, individuals, other organizations, and the Nation.

Its not technical. According to comptia: Technical controls are primarily built into the information system through mechanisms contained in hardware, software, or firmware components. The example is Biometrics.

getting bit annoyed with the wrong answers people are not studying properly - it clearly states that managerial controls are processes and procedures technical is logical access control systems and security systems itself.

B. Managerial E. Preventative Creating the policy that MFA must be used is in the Managerial control category. Creating a patch management program or system is also in the Managerial control category. MFA is a preventive control type Patch management is also a preventive control type.