What type of control involves using policies and procedures to mitigate risk?

The correct option, which focuses on using policies and procedures to mitigate risk, is classified as an administrative control. Administrative controls are critical components of security that involve the implementation of policies, procedures, and practices designed to manage and regulate the behavior of individuals within an organization and ensure compliance with established security frameworks.

Administrative controls encompass a wide range of measures, including risk assessments, security awareness training, incident response procedures, and user access control policies. These are designed not only to mitigate risks but also to create a culture of security within the organization. By establishing clear guidelines and expectations for behavior, administrative controls play a vital role in reducing vulnerabilities and enhancing overall security posture.

In contrast, technical controls focus on the use of technology and software solutions to protect information systems, while physical controls involve securing the physical environment where information systems are housed. Operational controls refer to the day-to-day procedures and practices that help maintain the security of organizational assets but may not necessarily focus on the overarching policies and strategies like administrative controls do.

Understanding this distinction helps clarify the integral role that administrative controls play in creating a structured and responsive approach to risk management in organizational security frameworks.