(ISC)2 Certified in Cybersecurity Practice Exam

What type of controls would include security policies and procedures?

• A. Technical Controls
• B. Physical Controls
• C. Administrative Controls
• D. Compliance Controls

The correct answer is: Administrative Controls

Administrative controls encompass the policies and procedures that organizations put in place to manage their overall security posture. These controls are crucial as they guide employee behavior and establish the framework through which security measures are implemented and maintained. By formalizing security policies, organizations ensure that there is a clear understanding of the required practices and guidelines necessary for safeguarding sensitive information and resources. This type of control operates from an organizational perspective and focuses on the management and operational aspects of security, including risk assessments, incident response plans, training, and awareness programs. It aims to establish a culture of security throughout the organization, ensuring that employees recognize and understand their roles and responsibilities in maintaining security integrity. In contrast, technical controls involve specific tools and technologies used to protect systems and data, such as firewalls and encryption. Physical controls relate to the tangible aspects of security, such as locks and surveillance systems, designed to protect facilities and assets. Compliance controls focus on adherence to regulations and standards but do not encompass the broader set of policies and procedures that guide an organization’s overall approach to security.