One of the main reasons to have a variety of access-control types is to provide the organization with true defense in depth. Each control type provides a different level of protection, and because each level can be tweaked to meet the needs of the organization, the security administrator has a very granular level of control over the security mechanisms. Security mechanisms can serve many purposes, although they are primarily used to prevent, detect, or recover from problems. The best approach is for the organization to focus the bulk of its controls on prevention because this allows the organization to stop a problem before it starts. The three access-control types include administrative, technical, and physical controls.
Administrative controls are the policies and procedures implemented by the organization. Preventive administrative controls can include security awareness training, strong password policies, and robust pre-employment checks.
Technical controls are the logical controls you have put in place to protect the IT infrastructure. Technical controls include strong authentication (biometrics or two-factor), encryption, network segmentation, demilitarized zones (DMZs), and antivirus controls.
Physical controls are the ones you can most likely see. These controls protect against theft, loss, and unauthorized access. Examples of physical access controls include guards, gates, locks, guard dogs, closed-circuit television (CCTV), and alarms.
Be sure you understand the three types of controls that can be used to limit accessadministrative, technical, and physical controlsand what is contained within each set. This is considered required knowledge for the CISSP exam.