Risk mitigation is achieved by implementing different types of security controls depending on:
• The goal of the countermeasure or safeguard.
• The level to which the risk needs to be minimized.
• The severity of damage the threat can inflict.
The overall purpose of implementing security controls as previously mentioned is to help reduce risks in an organization. In other words, the primary goal of implementing security controls is to prevent or reduce the impact of a security incident. While it’s next to impossible to prevent all threats, mitigation seeks to decrease the risk by reducing the chances that a threat will exploit a vulnerability.
Security controls exist to reduce or mitigate the risk to those assets. They include any type of policy, procedure, technique, method, solution, plan, action, or device designed to help accomplish that goal. Recognizable examples include firewalls, surveillance systems, and antivirus software.
Three types of risk mitigating controls:
Physical controls describe anything tangible that’s used to prevent or detect unauthorized access to physical areas, systems, or assets. This includes things like fences, gates, guards, security badges and access cards, biometric access controls, security lighting, CCTVs, surveillance cameras,
motion sensors, fire suppression, as well as environmental controls like HVAC and humidity controls.
Technical controls (also known as logical controls) include hardware or software mechanisms used to protect assets. Some common examples are authentication solutions, firewalls, antivirus software, intrusion detection systems (IDSs), intrusion protection systems (IPSs), constrained interfaces, as well as access control lists (ACLs) and encryption measures.
Administrative controls refer to policies, procedures, or guidelines that define personnel or business practices in accordance with the organization’s security goals. These can apply to employee hiring and termination, equipment and Internet usage, physical access to facilities, separation of duties, data classification, and auditing. Security awareness training for employees also falls under the umbrella of administrative controls.
I like how you identified the three types of risk mitigation controls and provided an in-depth analysis. It was my observation that you may have forgotten to identify which you believe is the most important. There is a possibility that there is not a right answer, but I argued that administrative controls are the most important given that it is the hardest to manage, and ensures that the other types of controls are working properly. I also considered how administrative control affects the hiring process. If they are doing their job correctly by implementing clear security policies and procedures backed with employee training and education, there should not be a reason for a breach or loss of information caused by an employee.
This was a very good analysis of the three risk mitigating controls. The article you shared really helped me get a better understanding of the controls. I was curious which control you think is the most important?
The three types of risk mitigating controls are physical, technical, and administrative. Physical controls are usually related to physical security such as fences, locks, or structures put in place to protect sensitive material and prevent or deter unauthorized access. Technical control involves security protection through technical means in an effort to protect assets such as antivirus software, firefalls, etc. Administrative controls are considered to be implementing effective policies, procedures, or guidelines that define personnel or business practices in accordance with the organization’s security goals; examples of administrative control include but are not limited to employee hiring, data classification, and security awareness training. I would argue that administrative control is the most important based on the expression that information security is “70 percent management and 30 percent technology”. I think that sometimes companies put too much emphasis on having the most expensive and latest technology, but in reality it will not solve their problems. While maintenance of security technology and physical mitigating controls are necessary, without administrative management, they will not be of much use and will not be enforced effectively. It is also my opinion that one of the biggest vulnerabilities to an organization’s security is poorly trained staff. With the right implementation of administrative controls, a company can be more protected against possible threats or breaches to come.
I do believe all the three controls are equally important in my opinion, Here’s the difference between the three security controls:
While administrative controls may rely on technology or physical controls for enforcement, the term is generally used for policies and procedures rather than the tools used to enforce them. For example, a BYOD policy is an administrative control, even though the security checkpoints, scanners, or wireless signal blocking tools used to enforce the policy would be physical controls.
Basically, administrative security controls are used for the “human factor” inherent to any cybersecurity strategy. They can be used to set expectations and outline consequences for non-compliance. Meanwhile, physical and technical controls focus on creating barriers to illicit access—whether those are physical obstacles or technological solutions to block in-person or remote access.
I like your detailed explanation, including on why administration is the most important. I also pointed out that the company needs to strengthen training for employees to improve their awareness of information security risks. But I want to ask how you will make employees abide by these guidelines to ensure corporate information security?
This is a very detailed explanation. I agree that administrative controls are the most important because of the reasons you mentioned. It doesn’t matter if you have the best security staff or best anti-virus software money can buy, because without proper administrative controls, such as employee training, there will always be room for human error.
Risk mitigation control includes three categories: Physical, Technical, and Administrative.
The physical method to mitigate risks is the most direct method, such as Canine patrols, Fences, Redundant data centers, Locked doors, Motion-detection devices, Placement of authentication,
servers in a secure location, Receptionists, Residue controls. These methods can directly prevent the occurrence of risks caused by manufactured damage.
The Technical method requires software technology, such as anti-virus software, encoded data, security password settings, network firewall, Penetration testing, Secure file wipes, etc. Use network security settings and software technology to mitigate network risks and resist malicious software and hacker attacks.
Administrative methods include Code of sanctions against vendors/suppliers/contractors, Color-coded ID badges, Role-based access control, Segregation of duties, Corporate code of conduct, Internal audit, Change management.
The administration is the most important. Physical and technical methods can damage the protective shield by malicious actions. If the management and training of employees are not in place, the physical and technical methods will be more easily destroyed. The administrative approach strengthens employees’ awareness of risk control through employee training, corporate standards, and separation of blame and blame so that all employees are always vigilant to mitigate risks.
The 3 types of risk mitigating controls are physical, technical, and administrative. and these types of controls are set in order to prevent potential threats to an organization. Physical controls are tangible in nature, and are implemented to protect access to a physical area. Some examples of physical controls are fences, security guards, cameras, ID cards, and things of that nature. Technical controls protect things that are technical in nature, and some example would be firewalls, antivirus software, 2-factor authentication, etc. Finally, administrative controls are the policies, plans, and programs implemented by management. I would say administrative controls are the most important because it relates to humans, who are the biggest factor when it comes to security issues. If focusing on administrative issues, the organization will be better set up to deal with physical and administrative breaches, which will happen regardless.
Shubham Patil says
Risk mitigation is achieved by implementing different types of security controls depending on:
• The goal of the countermeasure or safeguard.
• The level to which the risk needs to be minimized.
• The severity of damage the threat can inflict.
The overall purpose of implementing security controls as previously mentioned is to help reduce risks in an organization. In other words, the primary goal of implementing security controls is to prevent or reduce the impact of a security incident. While it’s next to impossible to prevent all threats, mitigation seeks to decrease the risk by reducing the chances that a threat will exploit a vulnerability.
Security controls exist to reduce or mitigate the risk to those assets. They include any type of policy, procedure, technique, method, solution, plan, action, or device designed to help accomplish that goal. Recognizable examples include firewalls, surveillance systems, and antivirus software.
Three types of risk mitigating controls:
Physical controls describe anything tangible that’s used to prevent or detect unauthorized access to physical areas, systems, or assets. This includes things like fences, gates, guards, security badges and access cards, biometric access controls, security lighting, CCTVs, surveillance cameras,
motion sensors, fire suppression, as well as environmental controls like HVAC and humidity controls.
Technical controls (also known as logical controls) include hardware or software mechanisms used to protect assets. Some common examples are authentication solutions, firewalls, antivirus software, intrusion detection systems (IDSs), intrusion protection systems (IPSs), constrained interfaces, as well as access control lists (ACLs) and encryption measures.
Administrative controls refer to policies, procedures, or guidelines that define personnel or business practices in accordance with the organization’s security goals. These can apply to employee hiring and termination, equipment and Internet usage, physical access to facilities, separation of duties, data classification, and auditing. Security awareness training for employees also falls under the umbrella of administrative controls.
From: https://www.f5.com/labs/articles/education/what-are-security-controls
Elizabeth Gutierrez says
Hi Shubham,
I like how you identified the three types of risk mitigation controls and provided an in-depth analysis. It was my observation that you may have forgotten to identify which you believe is the most important. There is a possibility that there is not a right answer, but I argued that administrative controls are the most important given that it is the hardest to manage, and ensures that the other types of controls are working properly. I also considered how administrative control affects the hiring process. If they are doing their job correctly by implementing clear security policies and procedures backed with employee training and education, there should not be a reason for a breach or loss of information caused by an employee.
Alexander William Knoll says
Hi Shubham,
This was a very good analysis of the three risk mitigating controls. The article you shared really helped me get a better understanding of the controls. I was curious which control you think is the most important?
Elizabeth Gutierrez says
The three types of risk mitigating controls are physical, technical, and administrative. Physical controls are usually related to physical security such as fences, locks, or structures put in place to protect sensitive material and prevent or deter unauthorized access. Technical control involves security protection through technical means in an effort to protect assets such as antivirus software, firefalls, etc. Administrative controls are considered to be implementing effective policies, procedures, or guidelines that define personnel or business practices in accordance with the organization’s security goals; examples of administrative control include but are not limited to employee hiring, data classification, and security awareness training. I would argue that administrative control is the most important based on the expression that information security is “70 percent management and 30 percent technology”. I think that sometimes companies put too much emphasis on having the most expensive and latest technology, but in reality it will not solve their problems. While maintenance of security technology and physical mitigating controls are necessary, without administrative management, they will not be of much use and will not be enforced effectively. It is also my opinion that one of the biggest vulnerabilities to an organization’s security is poorly trained staff. With the right implementation of administrative controls, a company can be more protected against possible threats or breaches to come.
Shubham Patil says
Hi Elizabeth,
I do believe all the three controls are equally important in my opinion, Here’s the difference between the three security controls:
While administrative controls may rely on technology or physical controls for enforcement, the term is generally used for policies and procedures rather than the tools used to enforce them. For example, a BYOD policy is an administrative control, even though the security checkpoints, scanners, or wireless signal blocking tools used to enforce the policy would be physical controls.
Basically, administrative security controls are used for the “human factor” inherent to any cybersecurity strategy. They can be used to set expectations and outline consequences for non-compliance. Meanwhile, physical and technical controls focus on creating barriers to illicit access—whether those are physical obstacles or technological solutions to block in-person or remote access.
From: https://www.compuquip.com/blog/what-are-administrative-security-controls
Yangyuan Lin says
Hi Elizabeth,
I like your detailed explanation, including on why administration is the most important. I also pointed out that the company needs to strengthen training for employees to improve their awareness of information security risks. But I want to ask how you will make employees abide by these guidelines to ensure corporate information security?
Alexander William Knoll says
Hey Elizabeth,
This is a very detailed explanation. I agree that administrative controls are the most important because of the reasons you mentioned. It doesn’t matter if you have the best security staff or best anti-virus software money can buy, because without proper administrative controls, such as employee training, there will always be room for human error.
Yangyuan Lin says
Risk mitigation control includes three categories: Physical, Technical, and Administrative.
The physical method to mitigate risks is the most direct method, such as Canine patrols, Fences, Redundant data centers, Locked doors, Motion-detection devices, Placement of authentication,
servers in a secure location, Receptionists, Residue controls. These methods can directly prevent the occurrence of risks caused by manufactured damage.
The Technical method requires software technology, such as anti-virus software, encoded data, security password settings, network firewall, Penetration testing, Secure file wipes, etc. Use network security settings and software technology to mitigate network risks and resist malicious software and hacker attacks.
Administrative methods include Code of sanctions against vendors/suppliers/contractors, Color-coded ID badges, Role-based access control, Segregation of duties, Corporate code of conduct, Internal audit, Change management.
The administration is the most important. Physical and technical methods can damage the protective shield by malicious actions. If the management and training of employees are not in place, the physical and technical methods will be more easily destroyed. The administrative approach strengthens employees’ awareness of risk control through employee training, corporate standards, and separation of blame and blame so that all employees are always vigilant to mitigate risks.
Alexander William Knoll says
The 3 types of risk mitigating controls are physical, technical, and administrative. and these types of controls are set in order to prevent potential threats to an organization. Physical controls are tangible in nature, and are implemented to protect access to a physical area. Some examples of physical controls are fences, security guards, cameras, ID cards, and things of that nature. Technical controls protect things that are technical in nature, and some example would be firewalls, antivirus software, 2-factor authentication, etc. Finally, administrative controls are the policies, plans, and programs implemented by management. I would say administrative controls are the most important because it relates to humans, who are the biggest factor when it comes to security issues. If focusing on administrative issues, the organization will be better set up to deal with physical and administrative breaches, which will happen regardless.