Which of the following is not considered a managerial control?

Managerial controls are processes and procedures that involve the planning, implementation, and governance of security practices, primarily focusing on administrative functions. These controls generally encompass the establishment of policies, practices, risk management, and training.

Creating security policies falls squarely within the realm of managerial controls. It involves high-level decision-making that shapes how an organization manages its security posture. Similarly, conducting training sessions is crucial for ensuring that employees understand the security policies and practices, thereby fostering a culture of security awareness.

Conducting risk assessments is also a managerial control. This process allows an organization to identify potential security threats and vulnerabilities, which informs the development of security policies and practices.

Implementing firewalls, however, is regarded as a technical control rather than a managerial one. Technical controls involve the use of technology and tools to enforce security measures, such as hardware or software solutions that protect networks and systems. Firewalls serve to control incoming and outgoing traffic based on predetermined security rules, and while they are essential for an organization's security framework, they do not fall under the governance and policy-setting functions associated with managerial controls. Therefore, this option is the correct answer.