blocks|key|2333312|text|校正控制|type|header-two|depth|inlineStyleRanges|entityRanges|data|2333313|它不是一个控制，直到它可以使用，唯一的好处是纠正，它不能防止媒体损失，它只是帮助修复媒体损失。|unstyled|2333314|谁会在意它需要事先实施，而运营成本是事先发生的。|2333315|除了法医之外，所有其他工具都需要在使用之前加以实现。|2333316|也就是说，无论谁写了考试，你都需要“播放”，而我自己也不是中钢协，RTFM。|entityMap^0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|L|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|M|8|@]|9|@]|A|$]]|$1|E|3|F|5|D|7|N|8|@]|9|@]|A|$]]|$1|G|3|H|5|D|7|O|8|@]|9|@]|A|$]]|$1|I|3|J|5|D|7|P|8|@]|9|@]|A|$]]]|K|$]]

Corrective Control

It isn't a control until it can be used and the only benefit is corrective, it does not prevent the media loss, it just helps fix the media loss.

Who cares that it needs to be implemented beforehand, and operational costs are incurred beforehand.

All other tools need to be implemented before they can be used, except maybe forensics.

That said, you need to "Channel" whoever wrote the exam and I am not CISA myself, RTFM.

blocks|key|2333409|text|它是ISMS+(信息安全管理系统)中的一种校正控制。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2333410|控制符合安全目标，可以改变发生的可能性或所造成的损害的数量。|2333411|备份并不能防止由于攻击或技术故障而丢失数据。它只会减少伤害的数量。|2333412|预防控制降低了可能性，纠正控制减少了损害。|2333413|当您进行风险分析时，您有一个受到威胁的漏洞，风险就会出现。如果威胁和漏洞匹配，则会造成损害。备份可以减少此伤害，但不会修改可能性。|2333414|数据的丢失是衡量风险的事件的结果。|entityMap^0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|M|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|N|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|O|8|@]|9|@]|A|$]]|$1|F|3|G|5|6|7|P|8|@]|9|@]|A|$]]|$1|H|3|I|5|6|7|Q|8|@]|9|@]|A|$]]|$1|J|3|K|5|6|7|R|8|@]|9|@]|A|$]]]|L|$]]

It's a corrective control in ISMS (Information Security Management Systems). 

Controls serve a security objective and modify either the likelihood of occurrence or the amount of damage done.

A backup does not prevent the loss of data due to an attack or a technical failure. It just reduces the amount of damage. 

Preventive controls reduce the likelihood, corrective controls reduce the damage. 

When you go through risk analysis, you have a vulnerability that is met by a threat, the risk emerges. If the threat and vulnerability match, damage occurs. The backup reduces this damage but does not modify likelihood. 

The loss of data is an outcome of the event which risk is measured.

blocks|key|2374455|text|根据CompTIA+SEC%2B，备份是一个补偿控件。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|entityMap^0^^$0|@$1|2|3|4|5|6|7|C|8|@]|9|@]|A|$]]]|B|$]]

In accordance with CompTIA SEC+, backup is a Compensating control.

blocks|key|2374385|text|海事组织，两者都是。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2374386|显然，在需要恢复(纠正)之前，备份是不会被使用的，但是与许多其他纠正控制不同(例如阻止正在攻击您的域)，它必须在故障发生之前实现(预防)。|2374387|我要说，创建备份的过程是一种预防性控制，而从备份恢复的过程是一种纠正控制。|2374388|考虑到大多数人在询问备份时都会考虑备份/‘备份’，我通常会回答“预防性”。|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|J|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|K|8|@]|9|@]|A|$]]|$1|F|3|G|5|6|7|L|8|@]|9|@]|A|$]]]|H|$]]

imo, It's both.

Obviously a backup doesn't get used until a restore is needed (corrective), but unlike a lot of other corrective controls(e.g. blocking a domain that's attacking you), it has to be implemented before the fault occurs(preventative).

I would say that the process of creating backups is a preventative control, and the process of restoring from backups is a corrective control.

Given that most people think of making backups/ 'backing up' when you ask about backups, I'd answer "preventative" in general.

blocks|key|2374442|text|矫正控制是侦查和预防的结果。例如，您只能在事件发生后从备份恢复。例如，在发现欺诈行为后，发出警告或解雇员工是一种纠正控制。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2374443|参考资料：通过预防性、侦破和纠正控制管理风险|offset|length|entityMap|0|LINK|mutability|MUTABLE|url|http://www.cfocareer.com/manage-risks-preventive-detective-corrective-controls/^0|0|5|H|0^^$0|@$1|2|3|4|5|6|7|M|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|N|8|@]|9|@$D|O|E|P|1|Q]]|A|$]]]|F|$G|$5|H|I|J|A|$K|L]]]]

A corrective control is an aftermath of detective and preventive. You can only restore from a backup after an incident, for example. Issuing a warning or firing an employee is a corrective control, after detecting fraud, for example. 

Reference: <a href="http://www.cfocareer.com/manage-risks-preventive-detective-corrective-controls/" rel="nofollow noreferrer">Manage Risks with Preventive, Detective, and Corrective Controls</a>

blocks|key|2374518|text|为了将我在这里看到的所有内容和讨论的目的结合起来，让我们将“备份”定义为过程和产品；也就是说，备份数据的过程、结果的备份集和恢复数据的过程。我们也不要忽视这样一个事实，即安全控制是为了降低风险而设置的。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2374519|衡量风险的最简单、但并非唯一的衡量标准是货币损失。这种损失可以从直接货币损失、运营费用、停产、法律费用、与品牌形象损失和消费者忠诚度等关切相关的机会成本或若干其他损失来源中实现。|2374520|鉴于上述论点，随着CompTIA和@evmenkov的推进，备份数据可以弥补其他控制的失败，或者在主控制过于昂贵或技术上不可行时，作为一种可接受的监管妥协。因此，如果提供，不要将“补偿控制”作为有效的响应。|2374521|在601版本的CompTIA中，Security%2B还将控件划分为三个相互排斥的类别:管理(管理)、技术(逻辑)和操作。它们分别定义控件的类型，这些控件可以相互组合，并作为属性分配给这三个类别。这些“类型”是预防性的，侦破，纠正，威慑，补偿和身体，其中最后一个被认为是一个类别，而不是一个类型。|2374522|我提到这个分类法是为了帮助重申其他人说过的话，答案可能是多方面的。在这里不主张精确性，技术控制，例如创建备份，可以在本质上同时预防、纠正和补偿。|2374523|现在，对于哪种类型的控制备份(S)符合条件的论点，我同意创建、存储和恢复备份并不能防止最初的损失，但我们必须记住，要减轻的风险可能是“全损”。适当的备份礼节，确实可以防止全部数据丢失，同意吗？|2374524|为了深入研究，请考虑恢复时间目标(RTO)和恢复点目标(RPO)的概念。RTO定义了资源在完全恢复之前离线可承受的时间，而RPO则定义了恢复后可以永久丢失多少数据，而不会对组织产生负面影响。|2374525|如果我们的目标是防止任何无法恢复的数据丢失，那么我们必须同意RPO为0。尽管考试发起人，包括CompTIA和其他大多数人，喜欢甚至需要划分概念，有时甚至彼此排斥，但现实世界并不是那么简单。|2374526|这意味着我们必须努力将“主义”与我们在生产中所能观察到的东西区分开来。在这种情况下，这意味着即使我们可以将真实世界的数据备份合并到许多不同的考试目标或主题中，比如集群、冗余、容错和负载平衡，我们仍然需要期待被净化的备份测试问题。|2374527|尽管我们可以认为备份的形式是完全同步的热DR站点、RAID+1镜像集，甚至在线渐进备份都提供了零的RPO和RTO，从而得出这样的结论:这种备份可以作为一种预防性控制，以减轻有限形式的初始和全部数据丢失的风险，但考试问题不太可能会深入到这个概念中去。鉴于这一点，我要提醒任何人，选择“预防性”作为对这一主题的基本问题的回答；但要注意不可忽视的相反情况。|2374528|另一方面，纠正控制通常被定义为对实际损失作出的反应。解除备份过程和从恢复过程中产生的备份集，我们可以认为，“备份”在一般情况下是一个纠正控制，因为恢复发生在损失发生之后。|2374529|虽然只是个人的意见，提到的三种类型，纯粹为了认证考试的目的，我会签署补偿和纠正，但通过预防。|entityMap^0|0|0|0|0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|Y|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|Z|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|10|8|@]|9|@]|A|$]]|$1|F|3|G|5|6|7|11|8|@]|9|@]|A|$]]|$1|H|3|I|5|6|7|12|8|@]|9|@]|A|$]]|$1|J|3|K|5|6|7|13|8|@]|9|@]|A|$]]|$1|L|3|M|5|6|7|14|8|@]|9|@]|A|$]]|$1|N|3|O|5|6|7|15|8|@]|9|@]|A|$]]|$1|P|3|Q|5|6|7|16|8|@]|9|@]|A|$]]|$1|R|3|S|5|6|7|17|8|@]|9|@]|A|$]]|$1|T|3|U|5|6|7|18|8|@]|9|@]|A|$]]|$1|V|3|W|5|6|7|19|8|@]|9|@]|A|$]]]|X|$]]

In an attempt to pull together everything I'm seeing here and for the purpose of discussion, let's define &quot;backup&quot; as the process and the product; that is to say, the process of backing up data, the resulting backup set, and the process of restoring data. Let's also not lose sight of the fact that security controls are set in place to mitigate risk.
The easiest, but hardly exclusive, metric of risk is monetary loss. This type of loss can be realized from direct monetary loss, operational expense, cessation of production, legal expenses, opportunity costs associated with such concerns as loss of brand image and consumer loyalty, or a number of other sources of loss.
Given the foregoing arguments, backing up data can, as CompTIA and @evmenkov advance, compensate for the failure of other controls or stand in as an acceptable regulatory compromise when a primary control is too expensive or technologically infeasible to implement. Therefore, if offered, do not discount &quot;compensating control&quot; as a valid response.
CompTIA also, as of the 601 version of Security+, separates controls into three mutually exclusive categories: managerial (administrative), technical (logical), and operational. They separately define types of controls, which can be combined with one another and assigned as attributes to the three categories. These &quot;types&quot; are preventative, detective, corrective, deterrent, compensating, and physical, the last of which used to be considered a category instead of a type.
I mention this taxonomy to help reiterate what others have said in the way of the answer possibly being manifold. Without arguing for accuracy here, it is plausible that a technical control, such as creating a backup, could be simultaneously preventative, corrective, and compensating in nature.
Now to the argument as to which type(s) of control backups qualify, I agree that creating, storing, and restoring backups cannot prevent the initial loss, but we have to keep in mind that the risk to be mitigated could be &quot;total loss.&quot; Proper backup etiquette can, indeed, prevent total data loss, agreed?
To dig a little deeper, consider the concept of recovery time objectives (RTO) and recovery point objectives (RPO). RTO defines how long a resource can be affordably offline until full restoration, while RPO defines how much data can be permanently lost post-restoration without a negative impact on the organization.
If our goal is to prevent any manner of unrecoverable data loss, then we must agree that we have an RPO of 0. Although exam sponsors, including CompTIA and most others, prefer and even need to compartmentalize concepts, sometimes to the exclusion of one another, the real world is not so cut and dried.
What this means is that we have to try to separate the &quot;isms&quot; from what we can observe in production. In this case, it means that even though we can lump real-world data backup into many different exam objectives or topics, such as clustering, redundancy, fault tolerance, and load-balancing, we still need to expect purified backup exam questions.
Although we can argue that backups in the form of fully synchronized hot DR sites, RAID 1 mirrored sets, or even online progressive backups provide both an RPO and RTO of zero, leading to a conclusion that such backups act as a preventative control to mitigate the risks of initial and total data loss in limited forms, it isn't likely that exam questions will take quite so deep a dive into the concept. In light of that realization, I would caution anyone with regard to choosing &quot;preventative&quot; as a response to a basic question on this topic; but do watch out for non-dismissable context to the contrary.
Corrective controls, on the other hand, are often defined as those put in place as a reactive response to actualized loss. Uncoupling the backup process and resulting backup set from the process of restoring the same, we can argue that the &quot;backup&quot; in general is a corrective control, given that the restoration occurs after the loss is incurred.
Although just a personal opinion, of the three types mentioned, and purely for the purpose of certification exams, I would sign off on compensating and corrective but pass on preventative.

This is a theoritical question. There are preventive controls and corrective controls. So, is Backup a corrective control or a preventive control? There are mixed answers and mixed explainations. (CISA EXAM)

Backup is corrective control or a preventive control?

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

教程

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云智能顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云AI代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

功能1上新10个字符

功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符。

功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符。

功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符

功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符

功能4上新

文章&问答评论现已支持表情

全新交互，全新视觉，新增快捷键、悬浮工具栏、高亮块等功能并同时优化现有功能，全面提升创作效率和体验

社区富文本编辑器全新改版！诚邀体验～ 

精选全网热门MCP server，让你的AI更好用 🚀

💥开发者 MCP广场重磅上线！

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

聚焦“写作效率、视觉美观与运行性能”三方面进行全面升级，为您提供更高效、稳定的创作环境

社区富文本&Markdown编辑器全新改版上线，欢迎大家体验!

诚挚邀请您参与本次调研，分享您的真实使用感受与建议。您的反馈至关重要，感谢您的支持与参与！

社区新版编辑器体验调研

这是个理论问题。有预防控制和纠正控制。那么，备份是纠正控制还是预防性控制？有复杂的答案和复杂的解释。(CISA考试)

问备份是纠正控制还是预防性控制？
EN

回答 6

Security用户

校正控制

Security用户

Security用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问备份是纠正控制还是预防性控制？EN

回答 6

Security用户

校正控制

Security用户

Security用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问备份是纠正控制还是预防性控制？
EN