Welcome to this CCISO executive simulation. Train your strategic decision-making skills by evaluating formal security control classifications and how they align with risk governance frameworks.

CCISO (712-50) Executive Decision Simulation

Executive Briefing

You are the CISO for an enterprise SaaS provider hosting critical healthcare data. Following a recent surge in automated attacks against your client-facing portals, the engineering team has requested an additional $500,000 budget to deploy an active defense system.

Business Context

The organization is preparing for an upcoming ISO 27001 surveillance audit. The Board of Directors' audit committee requires all new significant security investments to be properly mapped to the risk registry using formal governance terminology. They need to understand exactly how this new system functions within the broader control environment.

Decision Scenario

The proposed system sits in front of the secure website. When it detects a malicious payload or unauthorized probing behavior from a specific IP address, it automatically adds that IP to a blocklist to drop all subsequent traffic. During the board presentation, the head of the audit committee asks you to classify this specific investment to ensure the risk registry accurately reflects its purpose.

Question

A system is designed to dynamically block offending Internet IP-addresses from requesting services from a secure website. This type of control is considered______________________.
Hint: Consider the standard formal categories of security controls (Preventive, Detective, Corrective). This system identifies an event that has already initiated, and then alters the environment to fix or secure the situation.

Strategic Analysis

  1. What is the real problem

    The executive challenge is mapping operational technology capabilities into formal IT governance and risk management terminology so that auditors and the board can accurately assess the organization's defense-in-depth posture.

  2. Business vs security perspective

    Engineers view the system as a "dynamic blocker" (a feature). Executives and auditors view the system through its function in the risk lifecycle: does it stop an event before it happens, discover an event that is happening, or fix an event that has been discovered?

  3. Risk and impact analysis

    By understanding control classifications, the CISO ensures that the organization isn't just buying redundant tools. A mature risk strategy requires a balanced portfolio of preventive, detective, and corrective controls to minimize business impact effectively.

  4. Why correct answer is BEST (B)

    A Corrective security control is designed to react to a detected incident and take action to restore the environment to a secure state. Because the system observes the offending behavior (detective phase) and then takes action to block the IP and stop further damage, it is executing a corrective function.

  5. Why other options are weaker

    A (Preventive detection control): This mixes two distinct formal categories. A preventive control stops an action *before* it occurs (like a locked door). A detective control identifies the action. They are distinct concepts in governance.
    C (Zero-day attack mitigation): This describes a marketing or operational capability, not a formal IT governance control classification used for audits.
    D (Dynamic blocking control): This is a descriptive, technical phrase for what the software does, not an industry-standard control classification category (like Administrative, Technical, Physical, Preventive, Detective, Corrective).

  6. MINI LESSON: Security Control Functional Types

    • Preventive: Aims to stop an incident from occurring (e.g., Firewalls, Encryption, MFA).
    • Detective: Aims to identify and characterize an incident in progress or after it has occurred (e.g., IDS, SIEM, Log monitoring).
    • Corrective: Aims to limit the extent of damage and restore the system to a normal state after an incident is detected (e.g., Automated IP blocking, IPS, restoring backups).
"A CISO must translate technical features into formal governance language; the board doesn't just buy software, they buy verifiable risk mitigation capabilities."

Ready for the next executive decision?

Explore more CCISO simulations to master IT governance and risk leadership.

Explore more CCISO simulations