Which of the following would NOT be considered a preventive control?

Preventive controls are measures implemented to avoid security incidents from occurring in the first place. These controls aim to reduce vulnerabilities and deter potential threats.

Firewalls serve as a barrier against unauthorized access, actively monitoring and controlling incoming and outgoing network traffic based on security rules. This is a classic example of a preventive control because it stops potential threats before they can penetrate a network.

Regular software updates are essential for fixing vulnerabilities that could be exploited by attackers. By keeping software up to date, organizations can prevent many types of attacks, thereby fitting the definition of a preventive control.

User training and awareness programs equip employees with the knowledge to recognize and respond to security threats, thus preventing incidents caused by human error or ignorance. This proactive measure is another effective preventive control tactic.

Incident response plans, however, are not preventive but rather reactive. They outline the steps to take after a security breach or incident has occurred, focusing on recovery and mitigation rather than on preventing the incident itself. Thus, this is why incident response plans are correctly identified as not being a preventive control.