What are the three categories of control areas in information security?

The correct answer highlights the three fundamental categories of control areas in information security: Administrative, Technical, and Physical.

Administrative controls involve policies, procedures, and regulations that govern an organization's security practices and set the framework for managing the organization’s overall security posture. This includes training, the establishment of security policies, and risk management practices.

Technical controls refer to technological solutions that protect systems and data. Examples include firewalls, encryption, intrusion detection systems, and access control mechanisms—essentially, any technology intended to safeguard information systems from unauthorized access or breaches.

Physical controls encompass security measures designed to protect the physical facilities and assets of an organization. These can include security guards, locks, surveillance cameras, and other physical barriers that protect the organization's hardware and data from physical threats.

The other choices may represent valid aspects of information security; however, they do not collectively capture the comprehensive categorization recognized in the realm of information security control areas. Preventive, detective, and corrective are types of controls related to their functions but do not categorize the broader aspects of information security. Operational, managerial, and strategic focus more on business processes and governance rather than specifically addressing the control domains within security.