What are administrative controls primarily focused on?

Administrative controls are primarily focused on implementing policies and procedures that govern the organization’s approach to information security. These controls are about establishing the framework and guidelines that dictate how various aspects of security should be managed, including the behavior of employees, response to incidents, and compliance with laws and regulations.

By creating and enforcing policies, organizations can ensure that all personnel understand their responsibilities and the procedures they must follow to maintain a secure environment. This can include training employees on security awareness, defining access levels to sensitive data, and establishing protocols for reporting security incidents.

The other choices, while important aspects of a comprehensive cybersecurity strategy, do not fall under administrative controls. Data encryption, firewalls, and antivirus software are more technical or operational controls, focused on the implementation of specific technologies to protect data and systems, while physical barriers pertain to the physical security of assets. Administrative controls serve as the foundational policies that guide how these other types of controls should be utilized effectively.