When a cybersecurity control does not map to CIA objectives, what should be done?

The situation tests alignment of cybersecurity controls with the CIA objectives—confidentiality, integrity, and availability. If a control does not map to those objectives, the right first move is to question its purpose and review why it exists, what risk it was meant to mitigate, and whether that risk remains relevant. This careful examination helps determine if the control is misapplied, outdated, redundant, or addressing a risk outside CIA. From there you can decide to modify the control so it supports CIA, retire it, or replace it with a more appropriate measure. Shutting it down immediately, ignoring it, or swapping it out without analysis would risk leaving gaps or wasting resources. For a solid outcome, investigate the control’s intent, reassess the risk, and take action based on that risk-based conclusion.