1.3.2. Administrative, Technical, and Physical Controls
💡 First Principle: Implementation category describes how a control is implemented: through people and process (administrative), through technology (technical), or through physical measures (physical). The same security objective often requires all three — and weaknesses in any one category can undermine the others.
Administrative controls operate through human behavior, policy, and process. Their effectiveness depends on enforcement and culture. A policy that nobody follows is not a control — it's a document. Administrative controls include: security policies, acceptable use policies, background checks, separation of duties requirements, security awareness training, and incident response procedures.
Technical controls operate through technology and are generally more reliable and scalable than administrative controls, but can be misconfigured, bypassed, or fail. Technical controls include: firewalls, encryption, access control systems, IDS/IPS, antivirus, MFA, and audit logging.
Physical controls protect against physical threats — unauthorized entry, theft, natural disasters, and hardware damage. Physical controls include: locks, fences, mantrap entry systems, security guards, CCTV, fire suppression systems, and environmental controls.
| Security Objective | Administrative | Technical | Physical |
|---|---|---|---|
| Prevent data theft by insiders | Policy + background check | DLP + access control + encryption | Tailgating controls + no personal devices |
| Protect server room from unauthorized access | Access policy + visitor log | Badge reader + access logs | Mantrap + guards + CCTV |
| Ensure data backup integrity | Backup policy + restoration testing procedure | Automated backup + hash verification | Offsite physical storage |
💡 Key Point: When the exam asks for a "comprehensive" solution or asks which approach provides the "best" protection, the answer almost always involves all three categories. Technical-only answers are typically wrong when administrative and physical controls are also relevant.
⚠️ Exam Trap: Technical controls can fail silently. An administrator who disables logging to free up disk space has eliminated a detective control. A backup system that's been failing for months but hasn't been tested is not actually a control. Administrative controls (testing, auditing, reviewing) keep technical controls honest.
Reflection Question: A company implements full-disk encryption on all laptops (technical control). Why might this be insufficient protection against data theft by an authorized insider? What administrative and physical controls would address the remaining risk?
