Certified in Risk and Information Systems Control (CRISC) — Question 851

An organization has provided legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations. Which of the following control types has been applied?

Answer options

• A. Detective
• B. Preventive
• C. Compensating
• D. Directive

Correct answer: D

Explanation

The correct answer is 'Directive' because the legal text sets guidelines and expectations for user behavior, which informs users of their rights and responsibilities. The other options do not fit because 'Detective' refers to controls that identify and respond to incidents, 'Preventive' aims to stop incidents before they occur, and 'Compensating' provides alternative controls when primary ones cannot be implemented.