Which of the following is an example of a preventive control?

The correct answer is the practice of security patching of systems, which is a clear example of a preventive control. Preventive controls are measures taken to prevent security incidents from occurring in the first place. By applying security patches, vulnerabilities within software or systems are addressed before they can be exploited by attackers. This proactive approach significantly reduces the risk of unauthorized access, data breaches, or other security threats.

In contrast, the other choices represent different types of controls. Monitoring network traffic for anomalies is classified as a detective control, as it is focused on identifying potential security issues after they occur or while they are in progress. Conducting incident response drills also falls under a different category, as it prepares the organization to respond effectively to incidents rather than preventing them. Analyzing logs after a breach is a form of corrective control, as it involves reviewing and addressing issues that have already occurred. Each of these practices has its own importance within a comprehensive security strategy, but security patching specifically aims to stop vulnerabilities before they can be exploited, categorizing it as a preventive measure.