Administrative policies for database security: Which of the following elements commonly appear in an organization’s administrative security policy for protecting databases?

Introduction / Context:
Database security spans technical controls and administrative controls. A robust program includes identity management, physical protection of facilities, and contractual SLAs with vendors, all coordinated through policy and governance.

Given Data / Assumptions:

• Policies define who can access systems and how authentication is performed.
• Physical security restricts entry to sensitive areas (data centers, server rooms).
• Vendor agreements include response and remediation commitments that affect uptime and risk.

Concept / Approach:

Administrative policies codify expected practices: strong authentication (MFA, password rotation), least-privilege access, facility controls, and vendor management (maintenance and response time SLAs). Together, these reduce attack surfaces and improve resilience against incidents that could compromise databases.

Step-by-Step Solution:

Verification / Alternative check:

Audit frameworks (for example, ISO 27001, SOC 2) require documented policies across these domains, confirming their relevance to database security.

Why Other Options Are Wrong:

Each single item addresses only one aspect. Effective policy must cover identity, physical, and vendor-related controls jointly.

Common Pitfalls:

Relying solely on technical controls while neglecting physical or vendor risks; failing to test incident response against SLA expectations.

Final Answer:

All of the above.