Risk mitigation and risk reduction controls for providing information security are classified within three main
categories, which of the following are being used?

A.
Preventive, corrective, and administrative.

B.
Detective, corrective, and physical.

C.
Physical, technical, and administrative.

D.
Administrative, operational, and logical.

Explanation:
Controls are put into place to reduce the risk an organization faces, and they come in three main flavors:
administrative, technical, and physical. Administrative controls are commonly referred to as “soft controls”
because they are more management-oriented. Examples of administrative controls are security documentation,
risk management, personnel security, and training. Technical controls (also called logical controls) are
software or hardware components, as in firewalls, IDS, encryption, identification and authentication
mechanisms. And physical controls are items put into place to protect facility, personnel, and resources.
Examples of physical controls are security guards, locks, fencing, and lighting.
Incorrect Answers:
A: Neither preventive nor corrective are one of the three main categories of risk reduction controls.
B: Neither detective nor corrective are one of the three main categories of risk reduction controls.D: Operational is not one of the three main categories of risk reduction controls.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 26