Which of the following is NOT considered an access control layer?

Access control layers are designed to ensure the protection of sensitive information by defining how users can access data and systems. These layers typically include technological, physical, and administrative controls, all of which play specific roles in safeguarding assets.

The technological layer involves tools and systems that enforce access controls, such as firewalls, encryption, and access control lists (ACLs). Physical access controls are measures implemented to limit access to physical locations, such as locked doors, security guards, and surveillance cameras. The administrative layer involves policies, procedures, and practices that govern how access is managed and enforced, like role-based access control (RBAC) and user training.

In this context, the term "policy" is usually viewed as part of the administrative layer rather than a standalone layer. Policies serve as the guiding principles and rules that inform how the other access control layers should operate. Therefore, "policy" does not constitute a separate access control layer on its own, differentiating it from the other components noted. This distinction clarifies why it is identified as NOT being an access control layer in itself.