The correct answer is "Threats, vulnerabilities, and risks". Threats define the possible source of security policy violations; vulnerabilities describe weaknesses in the system that might be exploited by the threats; and the risk determines the
probability of threats being realized. All three items must be present to meaningfully apply access control. Therefore, the other answers are incorrect.

It is considered to be a 'Physical Control'
There are three broad categories of access control: administrative, technical, and physical.
Each category has different access control mechanisms that can be carried out manually or automatically. All of these access control mechanisms should work in concert with each other to protect an infrastructure and its data.
Each category of access control has several components that fall within it, a partial list is shown here. Not all controls fall into a single category, many of the controls will be in two or more categories. Below you have an example with backups where it is in all three categories:
* Administrative Controls
* Policy and procedures
- A backup policy would be in place
* Personnel controls
* Supervisory structure
* Security-awareness training
* Testing
* Physical Controls
* Network segregation
* Perimeter security
* Cmputer controls
* Work area separation
* Data backups (actual storage of the media, i:e Offsite Storage Facility)
* Cabling
* Technical Controls
* System access
* Network architecture
* Network access
* Encryption and protocols
* Control zone
* Auditing
* Backup (Actual software doing the backups)
The following answers are incorrect :
Password and resource management is considered to be a logical or technical control.
Identification and authentication methods is considered to be a logical or technical control.
Intrusion Detection Systems is considered to be a logical or technical control.
Reference : Shon Harris , AIO v3 , Chapter - 4 : Access Control , Page : 180 - 185

A TCP sequence number attack exploits the communication session which was established between the target and the trusted host that initiated the session. It involves hijacking the session between the host and the target by predicting the target's choice of an initial TCP sequence number. An IP spoofing attack is used to convince a system that it is communication with a known entity that gives an intruder access. It involves modifying the source address of a packet for a trusted source's address. A SYN attack is when an attacker floods a system with connection requests but does not respond when the target system replies to those requests. A smurf attack occurs when an attacker sends a spoofed (IP spoofing) PING (ICMP ECHO) packet to the broadcast address of a large network (the bounce site). The modified packet containing the address of the target system, all devices on its local network respond with a ICMP REPLY to the
target system, which is then saturated with those replies.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and
Network Security (page 77).

Change management policies and procedures belong to the type of controls that are directive. Controls are the measures and the mechanisms that are used to protect and safeguard the organization's information systems and assets, and to ensure that they comply with the organization's security and business objectives. Controls can be classified into different types, based on their purpose, function, or nature, such as preventive, detective, corrective, deterrent, compensating, or recovery controls. Directive controls are the type of controls that guide and regulate the actions and the behaviors of the organization's staff, processes, and systems, and that ensure that they follow the organization's policies, standards, and regulations. Directive controls can include policies, procedures, guidelines, standards, rules, regulations, laws, or contracts. Change management policies and procedures belong to the type of controls that are directive, as they provide the instructions and the requirements for managing and controlling any changes to the organization's information systems and assets, and for ensuring that the changes align with the organization's security and business requirements. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, page 18. Free daily CISSP practice questions, Question 4.