Which of the following is the set of security controls for an information system that is primarily implemented and executed by people?

The correct answer focuses on operational controls, which are indeed primarily implemented and executed by people. Operational controls involve day-to-day operations, processes, and procedures that are directed at protecting information and managing security risks. These controls are often related to activities such as personnel security, incident response practices, and physical and environmental security measures, all of which rely heavily on human involvement and decision-making.

Management controls, on the other hand, are more strategic in nature and centered around the governance and oversight of the information security program. They involve policies, procedures, and organizational structures necessary to manage risk and ensure compliance but do not primarily revolve around execution by individuals.

Technical controls utilize technology to protect information systems, such as firewalls, encryption, and intrusion detection systems. While these controls also contribute to the security of information systems, they are not executed by individuals in the same fundamental way that operational controls are.

Understanding the distinction between these types of controls clarifies why operational controls, which are mainly about human enforcement, is the right answer.