Backup is corrective control or a preventive control?

Question

This is a theoritical question. There are preventive controls and corrective controls. So, is Backup a corrective control or a preventive control? There are mixed answers and mixed explainations. (CISA EXAM)

Answer 1

Corrective Control

It isn't a control until it can be used and the only benefit is corrective, it does not prevent the media loss, it just helps fix the media loss.

Who cares that it needs to be implemented beforehand, and operational costs are incurred beforehand.

All other tools need to be implemented before they can be used, except maybe forensics.

That said, you need to "Channel" whoever wrote the exam and I am not CISA myself, RTFM.

Answer 2

It's a corrective control in ISMS (Information Security Management Systems).

Controls serve a security objective and modify either the likelihood of occurrence or the amount of damage done.

A backup does not prevent the loss of data due to an attack or a technical failure. It just reduces the amount of damage.

Preventive controls reduce the likelihood, corrective controls reduce the damage.

When you go through risk analysis, you have a vulnerability that is met by a threat, the risk emerges. If the threat and vulnerability match, damage occurs. The backup reduces this damage but does not modify likelihood.

The loss of data is an outcome of the event which risk is measured.

Answer 3

I'm writing an answer to clarify the issue with an example, although others have already given the correct answer: it's corrective. But I see there are others who think it's both preventive and corrective. Let's see:

Threat: the hard disk fails, or an attacker deletes your data.
Damage: data loss, with an impact on availability or integrity.

How do backups prevent these kinds of incidents? Whether you make backups or not, the probability of the incidents won't change: the hard disk will still fail with the same probability, and the same goes for the attacker. So backups can't be a preventive control.

The confusion comes from the fact that backups need to be made before the incident, so in colloquial language we can say that "we make backup to prevent data loss". But for example, an intrusion detection system needs to be installed and configured in advance too, before the incident, yet that doesn't mean it is a preventive control (it's a detective control). Even though colloquially you could even say that you install an IDS to "prevent" an attacker from causing too much damage, by detecting the intruder as soon as possible.

Answer 4

In accordance with CompTIA SEC+, backup is a Compensating control.

Answer 5

imo, It's both.

Obviously a backup doesn't get used until a restore is needed (corrective), but unlike a lot of other corrective controls(e.g. blocking a domain that's attacking you), it has to be implemented before the fault occurs(preventative).

I would say that the process of creating backups is a preventative control, and the process of restoring from backups is a corrective control.

Given that most people think of making backups/ 'backing up' when you ask about backups, I'd answer "preventative" in general.

Answer 6

A corrective control is an aftermath of detective and preventive. You can only restore from a backup after an incident, for example. Issuing a warning or firing an employee is a corrective control, after detecting fraud, for example.

Reference: Manage Risks with Preventive, Detective, and Corrective Controls

Answer 7

In an attempt to pull together everything I'm seeing here and for the purpose of discussion, let's define "backup" as the process and the product; that is to say, the process of backing up data, the resulting backup set, and the process of restoring data. Let's also not lose sight of the fact that security controls are set in place to mitigate risk.

The easiest, but hardly exclusive, metric of risk is monetary loss. This type of loss can be realized from direct monetary loss, operational expense, cessation of production, legal expenses, opportunity costs associated with such concerns as loss of brand image and consumer loyalty, or a number of other sources of loss.

Given the foregoing arguments, backing up data can, as CompTIA and @evmenkov advance, compensate for the failure of other controls or stand in as an acceptable regulatory compromise when a primary control is too expensive or technologically infeasible to implement. Therefore, if offered, do not discount "compensating control" as a valid response.

CompTIA also, as of the 601 version of Security+, separates controls into three mutually exclusive categories: managerial (administrative), technical (logical), and operational. They separately define types of controls, which can be combined with one another and assigned as attributes to the three categories. These "types" are preventative, detective, corrective, deterrent, compensating, and physical, the last of which used to be considered a category instead of a type.

I mention this taxonomy to help reiterate what others have said in the way of the answer possibly being manifold. Without arguing for accuracy here, it is plausible that a technical control, such as creating a backup, could be simultaneously preventative, corrective, and compensating in nature.

Now to the argument as to which type(s) of control backups qualify, I agree that creating, storing, and restoring backups cannot prevent the initial loss, but we have to keep in mind that the risk to be mitigated could be "total loss." Proper backup etiquette can, indeed, prevent total data loss, agreed?

To dig a little deeper, consider the concept of recovery time objectives (RTO) and recovery point objectives (RPO). RTO defines how long a resource can be affordably offline until full restoration, while RPO defines how much data can be permanently lost post-restoration without a negative impact on the organization.

If our goal is to prevent any manner of unrecoverable data loss, then we must agree that we have an RPO of 0. Although exam sponsors, including CompTIA and most others, prefer and even need to compartmentalize concepts, sometimes to the exclusion of one another, the real world is not so cut and dried.

What this means is that we have to try to separate the "isms" from what we can observe in production. In this case, it means that even though we can lump real-world data backup into many different exam objectives or topics, such as clustering, redundancy, fault tolerance, and load-balancing, we still need to expect purified backup exam questions.

Although we can argue that backups in the form of fully synchronized hot DR sites, RAID 1 mirrored sets, or even online progressive backups provide both an RPO and RTO of zero, leading to a conclusion that such backups act as a preventative control to mitigate the risks of initial and total data loss in limited forms, it isn't likely that exam questions will take quite so deep a dive into the concept. In light of that realization, I would caution anyone with regard to choosing "preventative" as a response to a basic question on this topic; but do watch out for non-dismissable context to the contrary.

Corrective controls, on the other hand, are often defined as those put in place as a reactive response to actualized loss. Uncoupling the backup process and resulting backup set from the process of restoring the same, we can argue that the "backup" in general is a corrective control, given that the restoration occurs after the loss is incurred.

Although just a personal opinion, of the three types mentioned, and purely for the purpose of certification exams, I would sign off on compensating and corrective but pass on preventative.