Processes to recover critical files after a ransomware attack are corrective controls because they are designed to restore systems or data after an incident has occurred. ISACA guidance on ransomware and security controls explicitly identifies backups and recovery capabilities as corrective in nature.
Option D is correct because corrective controls aim to reduce the impact of an event and restore normal operations. File recovery, restoration from backups, and recovery procedures are classic corrective activities. ISACA specifically notes that restoring from backups is an effective corrective action against ransomware.
Option B is incorrect because preventive controls try to stop the ransomware attack from happening in the first place, such as patching, endpoint protection, email filtering, or access controls. Recovery processes occur after the attack and therefore are not preventive.
Option C is incorrect because detective controls identify that an incident has occurred or is occurring, such as alerts, monitoring, or anomaly detection. Recovery processes do not detect; they restore.
Option A is incorrect because compensating controls are alternate controls used when a primary control cannot be implemented as intended. Recovery processes after ransomware are more directly classified as corrective, not compensating.
Therefore, D is the best answer because processes for recovering critical files after ransomware are designed to correct the damage and restore operations.
References (Official ISACA):
ISACA Journal, Evidential Study of Ransomware Cryptoviral Infections and Countermeasures — restoring from backups is the first and most effective corrective action against ransomware.
ISACA, Specific Controls You Can Use — data backups are a corrective control.
ISACA, Blueprint for Ransomware Defense — recovery readiness is part of ransomware resilience.
Submit