Preventive security controls proactively stop unauthorized access before it occurs. The most effective

method is strict access management, where new or additional access rights require formal validation

before being granted.

Why Approval-Based Access Control is the Best Preventive Measure?

Prevents Unauthorized Entry – Ensures that only approved personnel have access to the power plant.

Implements Segregation of Duties (SoD) – Supervisors validate access requests, reducing insider

threats.

Aligns with Least Privilege Principle – Employees get only the minimum access necessary for their

role.

Prevents Security Risks Before They Happen – Unlike detective or corrective controls, this method

stops unauthorized access before it occurs.

Why Not the Other Options?

A . Offboarding procedure (monthly review) – This is a detective control, identifying issues after

access is granted, not preventing them.

B . Smart lock anomaly scanning – Also detective, as it identifies suspicious behavior after access has

been used.

D . Automatic notifications for after-hours entry – A corrective control, responding to potential

violations instead of preventing them.

IIA Reference:

IIA’s GTAG on Identity and Access Management – Recommends pre-approval processes for sensitive

locations.

ISO 27001 Annex A.9 (Access Control) – Requires role-based access management for critical

infrastructures.

NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems) – Defines supervisor

approval as a key preventive measure.