Detective access controls are implemented to identify and alert on security incidents or policy violations after they have occurred or as they are occurring. An Intrusion Detection System (IDS) is a quintessential detective tool. Its primary function is to monitor network traffic or system activities for suspicious patterns, known attack signatures, or anomalies. When a potential threat is identified, the IDS generates an alert, enabling security personnel to investigate and respond. This directly strengthens an organization's ability to detect unauthorized access and other security events.

A. Patches: This is a preventive and corrective control. It fixes known vulnerabilities to prevent them from being exploited in the first place.

B. Backups: This is a corrective and recovery control. It is used to restore data and systems to a known-good state after a security incident has caused damage or loss.

D. Encryption: This is a preventive control. It renders data unreadable to unauthorized parties, thereby preventing a breach of confidentiality, but it does not detect access attempts.

1. National Institute of Standards and Technology (NIST). (2020). Security and Privacy Controls for Information Systems and Organizations (NIST Special Publication 800-53

Revision 5). Section 3.3

Control SI-4

"System Monitoring

" describes the function of monitoring systems to "detect attacks and indicators of potential attacks" and "unauthorized local

network

and remote connections

" which is the core purpose of an IDS as a detective control. (p. 299).

2. Bauer

L. (2019). 18-730: Introduction to Computer Security

Lecture 2: Security Policies & Controls. Carnegie Mellon University. Slide 19

"Types of Controls

" explicitly categorizes "Intrusion detection systems" under the "Detective" control type.

3. Saltzer

J. H.

& Schroeder

M. D. (1975). The Protection of Information in Computer Systems. Communications of the ACM

18(7)

387–408. This foundational paper discusses security principles. While it doesn't use the modern "detective" term

it describes the principle of "audit trail" (Section I.A.5)

which is the basis for detective controls like IDS that analyze activity logs to detect intrusions. DOI: https://doi.org/10.1145/361011.361062