Which of the following is classified as a preventative control?

Preventative controls are designed to deter or prevent incidents from occurring in the first place. Access controls are an excellent example of this type of control because they regulate who can access information systems and data. By restricting access to authorized users only, these controls help minimize the risk of unauthorized access and potential data breaches. This preemptive approach is critical in maintaining the integrity and security of an organization’s data.

Other options, while important in an overall risk management strategy, serve different functions. Post-incident analysis is aimed at understanding and learning from incidents after they occur, which is a corrective measure rather than a prevention strategy. Data recovery efforts focus on restoring data after a loss or incident has happened and serve as a recovery control. Incident reporting is essential for tracking security breaches but doesn't prevent them; it instead facilitates response and awareness after an event occurs. Thus, access controls stand out as the method that actively prevents unauthorized actions from happening, making them the correct answer.