Organizations employ a variety of tools and procedures to provide a desired level of information security.
Accountants and auditors typically categorize controls as being preventive, detective, or corrective in nature
(Ratliff et al. 1996). Firewalls, intrusion prevention systems, physical and logical access controls, device
configuration, and encryption are widely usedmethods used to prevent undesirable events. Intrusion detection
systems, vulnerability scans, penetration tests, and logs are examples of controls designed to detect potential
problems and security incidents. Incident response teams, business continuity management, and patch
management systems are commonly used examples of controls designed to correct problems that have been
identified.