Hospital Network β Layered Controls
A hospital uses technical controls (network segmentation, encrypted databases) to protect patient records. Managerial controls (HIPAA policies, staff training requirements) define the rules. Operational controls (nurses must badge into medication rooms) add human layers. Physical controls (biometric door locks, security cameras in server rooms) protect infrastructure. Each layer compensates for the weaknesses of the others.
Ransomware Attack β Corrective Controls in Action
A manufacturing company suffered a ransomware attack that encrypted 200 workstations. The detective control (SIEM) identified unusual encryption activity at 2 AM. The incident response team activated corrective controls: isolating infected machines (technical), restoring from offsite backups (technical/operational), and contacting law enforcement (operational). A compensating control (blocking SMB traffic at the perimeter firewall) prevented spread until patching was complete.
Which Type Is This? β Guard at the Entrance
A security guard stationed at the reception desk who checks employee IDs can simultaneously be:
- Deterrent β Attackers see the guard and may choose not to attempt entry
- Preventive β The guard physically blocks unauthorized entry
- Detective β The guard notices suspicious behavior and reports it
On the exam: read carefully. The question will tell you the primary purpose β deterring, preventing, or detecting. The guard is most often classified as deterrent in CompTIA scenarios.
Legacy System β Compensating Control
A financial institution runs a critical payment system on Windows Server 2008 R2, which no longer receives security patches. Instead of replacing the system immediately (too costly), the security team implements a compensating control: strict firewall rules allowing only specific IP addresses to communicate with the server, disabling unnecessary services, and adding enhanced logging. This reduces risk while a long-term replacement is planned.
Preventive vs. Deterrent β Know the Difference
This is a common exam trap:
- Preventive: Fence with locked gate β physically prevents unauthorized access
- Deterrent: Warning sign on the fence β only discourages would-be intruders
Key test: Can the attacker still get through despite the control? If yes β deterrent. If it stops them physically/logically β preventive.
Security Awareness Training β Directive + Operational
A global bank requires all employees to complete annual phishing simulation training. The directive control (policy mandating the training) establishes the requirement. The operational control (the awareness program itself, delivered by the security team) educates staff to recognize suspicious emails. After training, the click rate on phishing simulations drops by 60% β evidence the directive control influenced behavior.