What are common security controls?

Common security controls refer to security measures that can be utilized across multiple information systems rather than being limited to a single, specific application. These controls are designed to be broadly applicable and support a wide range of organizational needs regarding information security.

The reason this answer is correct lies in the concept of inheritable controls, which are security practices established at a higher level—such as at the organizational or system level—that can be shared or adopted by different systems within the same environment. For example, security policies regarding access control or incident response that are developed for one system can be effectively applied to another system without needing to create new controls from scratch.

This approach not only streamlines the implementation of security measures but also fosters consistency across the organization, enhancing the overall security posture. Inheriting controls allows organizations to maintain compliance with regulatory requirements more efficiently and reduces redundancy in security efforts across diverse systems.

In contrast, the other options do not accurately reflect the concept of common security controls. Unique controls to specific systems limit applicability, controls solely for data encryption and those that only pertain to physical security measures don't capture the broader application characteristic inherent in common security controls.