US Trends

which of the following is not an example of an administrative safeguard that organizations use to protect pii

Organizations use administrative safeguards to protect PII/PHI by focusing on policies, procedures, and people, not on the actual technical tools like encryption or firewalls.

What are administrative safeguards?

Administrative safeguards are the policies and procedures that manage how an organization selects, implements, and maintains security measures and how the workforce behaves around sensitive data such as PII or ePHI.

Typical administrative safeguards include:

  • Risk analysis and ongoing risk management.
  • Assigning a security/privacy officer.
  • Workforce security and background checks.
  • Security awareness and training programs.
  • Information access management (who is allowed to see what).
  • Security incident response procedures.
  • Contingency plans and disaster recovery procedures.
  • Regular evaluations of the security program and policies.

All of these are “administrative” because they live in the realm of governance, documentation, and human processes rather than hardware or specific software controls.

What is not an administrative safeguard?

In exam or quiz questions that ask:

“Which of the following is not an example of an administrative safeguard that organizations use to protect PII?”

the answer is usually something that belongs to technical or physical safeguards instead of administrative ones.

Examples of items that are not administrative safeguards include:

  • Encryption of data at rest or in transit (this is a technical safeguard).
  • Firewalls, intrusion detection systems, or secure network protocols (technical safeguards).
  • Physical locks on server rooms, security cameras, or badge-controlled doors (these are physical safeguards).
  • Device security features like cable locks or physically securing workstations (physical safeguards).

So, in a typical multiple‑choice list, something like “Encrypting PII on disk using AES” or “Installing a firewall to protect the network” would not be an administrative safeguard, while “conducting regular risk assessments” or “providing security awareness training” would be administrative.

How to quickly tell in a test

A simple way to spot the “not an administrative safeguard” choice:

  1. Look for answers that describe:
    • Policies, procedures, training, governance, documenting access rules → administrative.
  2. Look for answers that describe:
    • Tools, software, encryption, access control mechanisms, MFA → usually technical.
  3. Look for answers about:
    • Door locks, ID badges, facility security, cameras → physical.

On most quizzes about “which of the following is not an example of an administrative safeguard that organizations use to protect PII,” the correct option will be a clearly technical or physical control such as encryption, firewalls, or door locks, because those do not fall under administrative safeguards.

TL;DR: Administrative safeguards = policies, procedures, training, and governance. Anything that is a technology control (like encryption or firewalls) or a building/physical control (like locks and cameras) is not an administrative safeguard.

Information gathered from public forums or data available on the internet and portrayed here.