Physical controls are tangible mechanisms implemented to prevent, deter, or detect unauthorized physical access to a facility, its resources, or information. They also protect against physical threats like fire, flood, or other natural disasters. Fire detection and suppression equipment, such as smoke detectors and sprinkler systems, are classic examples of physical controls designed to protect organizational assets from the physical threat of fire.

B. Establishing a policy is an administrative (or managerial) control. It defines rules and procedures but is not a tangible, physical mechanism itself.

C. Business continuity and disaster recovery planning is a process-oriented administrative control, focusing on strategy and procedures rather than a physical implementation.

D. Keeping an offsite backup is primarily a corrective and recovery control. While it involves physical media, the control's essence is the data recovery strategy, which is operational/technical.

1. National Institute of Standards and Technology (NIST). (2020). Security and Privacy Controls for Information Systems and Organizations (Special Publication 800-53

Revision 5).

Reference: Section 2.3

"Control Structure

" and Appendix F

"Security Control Catalog." The document categorizes controls into families. The "Physical and Environmental Protection (PE)" family explicitly includes controls like PE-13

"Fire Protection

" which covers fire detection and suppression. This directly supports option A as a physical control. In contrast

policies (Option B) fall under administrative families like "Policy and Procedures (PL-1)

" and planning (Option C) falls under the "Planning (PL)" family.

2. Fenz

S.

& Ekelhart

A. (2011). Formalizing Information Security Knowledge. In Proceedings of the 44th Hawaii International Conference on System Sciences. IEEE.

Reference: Page 4

Section 3.2

"Security Control Classification." The paper classifies controls into three main categories: physical

technical

and administrative. It explicitly lists "fire extinguishers" as an example of a physical control

while "security policies" are listed as administrative controls. This academic source clearly distinguishes between the control types presented in the options.

DOI: 10.1109/HICSS.2011.138

3. Saltzer

J. H.

& Schroeder

M. D. (1975). The Protection of Information in Computer Systems. In Proceedings of the IEEE

63(9)

1278-1308.

Reference: Page 1296

Section D.1

"Physical Security." This foundational paper on computer security discusses physical security mechanisms. It states

"The first step in protecting a computer system is to place it in a locked room... Other physical security measures include fire protection..." This classic source establishes fire protection as a fundamental physical control.

DOI: 10.1109/PROC.1975.9939