Which of the following controls involves policies and procedures?

The choice that involves policies and procedures is administrative controls. These controls are centered on the establishment and enforcement of organizational policies and procedures that dictate how an organization manages its information security. They are concerned with the people and processes in securing an organization’s data and systems.

Administrative controls typically include aspects like personnel security policies, training and awareness programs, incident response plans, and access control policies. This is essential in promoting a security culture and ensuring compliance with regulatory requirements. By developing and implementing these controls, organizations can effectively manage risk and ensure that security practices are followed consistently across all levels.

In contrast, physical controls relate to the physical security measures taken to protect facilities and resources, such as locks, surveillance cameras, and security guards. Logical controls involve technical measures to protect information systems, like firewalls and encryption. Technical controls are specific to software or hardware solutions that enforce security policies. Each of these control types plays a role in an organization's overall security posture, but administrative controls specifically encompass the structured policies and procedures vital for governance and compliance.