Control Categories (Operational vs Managerial)

Cesar Bravo said:

What are your thoughts? and what are your recommendations on how to better explain this to students (and even to explain them why testout content differs from most internet sources)?

Click to expand...

Even standards organizations have trouble making these distinctions. "NIST SP 800-53 no longer includes the concept of operational, management, or technical controls, as it is not always clear which category any given control belongs."

I've told students that creating policies to manage risks and comply with regulations are examples of management controls. These policies may specify operational, technical, or physical security controls. Creating a policy requiring training is a management control. Teaching or taking a training course is an operational control.

On the 701 exam, I don't know whether CompTIA would categorize a training program as operational or managerial.

In some places the official content disagrees with multiple reputable sources like standards and vendors. I teach students how to understand the way terms will be used in a job interview or at work. I also try to help students understand when CompTIA uses the terms differently.

When CompTIA content disagrees with the technology industry, I am concerned that students who understand the concepts and terms will lose points on the exam.

Cesar Bravo said:

I noticed a lot of discussion about how Comptia determines the differences between Managerial and Operational Controls?
On example is Awareness Programs (Training) because depending on the author, some categorize them as Managerial while others consider it as an Operational Control.
What are your thoughts? and what are your recommendations on how to better explain this to students (and even to explain them why testout content differs from most internet sources)?

Click to expand...

I've always presented managerial controls as those that someone in authority requires that those subjects that are under that authority follow. Managerial controls require that a subject do something because that is the way they were told or ordered to do it. Managerial controls override a subjects judgement and require that they impalement the control as defined by an authority.

Operational controls are based on how some thing is accessed or operated. For example in a car purchased from a US automaker with an automatic transmission the driver enters the vehicle on the left (as the car would be seen from the rear) and sits behind a steering wheel. The subject (now an operator of that vehicle) has access to two pedals: an accelerator (go pedal) and a brake (stop pedal). The operator will also have access to some transmission control that is used to change the state of the vehicle between 'park', 'drive', and 'reverse'. The subject uses these controls to operate the vehicle.