An acceptable use policy (AUP) is an example of what type of control?

An acceptable use policy (AUP) is categorized as an administrative control because it involves the establishment of guidelines and procedures that dictate how an organization's resources, including technology and data, should be utilized by employees and users. Administrative controls focus on the management and organizational policies that govern behavior within the organization, aiming to mitigate risks through rules, responsibilities, and accountability.

In this context, the AUP provides a clear framework for expected conduct, articulating what is permissible and what is not, ensuring that employees understand their obligations and the potential consequences of misuse. These types of controls are crucial for creating a culture of security and compliance, as they set standards for behavior rather than relying solely on technical or physical measures to protect resources.

In contrast, technical controls would involve software or hardware solutions, physical controls relate to tangible barriers or locks, and operational controls encompass day-to-day practices and procedures. Thus, the classification of an AUP as an administrative control is rooted in its focus on policy and procedural governance rather than on technological or physical implementations.