Three types of risk-mitigating controls are physical, technical, and administrative. I would highlight administrative as the most important because this control addresses some of the most high-impact vulnerabilities within an organization, such as role-based access control, separation of duties, and change management. These are areas that I have seen attribute to failed security programs when incorrectly implemented.
The Computer and Information Security Handbook outlines the three areas of focus for mitigating risk: Attack Resiliency, Incident Readiness, and Security Maturity. Each of these areas is overarching of many underlying support controls. Out of the three identified by Vacca, security maturity encompasses many administrative risk mitigation controls. These controls seek to align best with the overall business strategy, promote shared security responsibility across the organization through awareness and policy, and, lastly, develop incident response capabilities for the inevitable attack.
Vacca, J., 2017. Computer and Information Security Handbook. 3rd ed. Cambridge: Morgan Kaufmann.
The three type of mitigating controls are Attack Resiliency, Incident Readiness and Security Maturity. I believe the most important is Security maturity because it’s related to all methods, plans, goal objectives an organization not just the IT department must follow to be sure that all their data are well protected. As it implies the word Maturity, this control helps in the company risk decision making, setting policies and standards that are comprehensible and make sense to everybody, implementing strong procedures and restricted data that allow and authorize access to certain people at some levels. To be more specific, the Security Maturity control is very beneficial to help a company use the four detailed risk assessment approach plan such as Identify, Detect, Protect and React to maintain and monitor their information security system. Most companies get attacked easily because they only focus on one security software as they need to be aware that one insecure system can affect the entire organization system.
Because Security Maturity encompasses sets the policies and standards like you mentioned, it is the control that has the most to do with the people of an organization. Setting these policies and standards and making sure the employees understand them becomes very important. As we have learned before from Vacca, people are the singles biggest source of loss. This is mainly due to negligence and not maliciousness. Security Maturity becomes the control that must be established first, before any of the other controls can be implemented effectively.
The 3 types of risk mitigating controls are: Physical, Technical, and Administrative. Administrative is the most important. Why? Because this threat is generated from the internal employees. All hardware and software tools are susceptible to human behavior. It’s really critical to stop this type of insider attack by securing sensitive information from being stolen or being modified. Thus administrative mitigation control is hugely important
Administrative plays a significant role because people make researches, identify, install and configure manually. Most of the time breaches happen due to mistakes or errors from incorrect codes or procedures entered by human. Definitely, I agree with your answer but you could have given more examples of why you chose this risk mitigation.
Please see the the Risk mitigating controls: (with example)
1. Physical :
Physical security we need to provide safety in physical environment like security guard, CCTV Cameras, ID Cards, Biometric Authentication, proximity sensor etc.
2. Technical:
In technical mitigating we can use inhibit attempts to violate security policies, such as authentication, authorization ,a Access Control Enforcement, Non-repudiation(digital certificate. )
3. Administrative:
When vulnerability increase that time layered protection, architectural designs with administrative control is minimize the risk on very high level.
The 3 types of risk-mitigating controls are physical, technical, and administrative. Physical controls can include security for entering a building, locks on the server room, or even cameras. Technical controls might include firewalls, intrusion detection systems, or antivirus software. Administrative controls deal with policies, plans, and access rights. To elaborate identity and access management is a large part of administrative controls. As stated by Vacca “Identity and Access Management (IAM) involves tracking the behavior and actions of each individual and assets in the IT environment, specifically your system administrators and mission-critical assets.” IAM is a key foundation to administrative controls as are security policies and plans. Without the support of upper management, the policies and plans are on track to fail. Due to these reasons, I support administrative controls to be the most important.
Source: Vacca, J. R. (2017). Computer and information security handbook (3rd ed.).
Hi Dhaval,
I argee with your position here that without the support from upper management a security program is doomed to fail. Many security tools and alert settings are tuned with out-of-the box detection rules and these often fail to account for behavioral threats to information security. To that end, your highlighting of the importance of Identity and Access Management controls is an excellent supporting arguement as to why Administrative controls are the most important.
I agreed with you that administrative controls deals with actions and policies to manage the selection, development , implementation , and maintenance of security measures to protect an organizational assets, information and manage the conduct of the covered entity’s force in relation to the protection of those assets and that information within an organization.
I liked how you gave us examples of each risk control. First, I did not understand why administrative risk control was the most important but will all the responses including yours made me realize that humans are again the vector of organization loss. We are the one bringing money to the organization but we are also exposing them at risk with system errors or mistakes. Misconfiguration always lead to data breaches. What risk control would you pick as the second most important and why?
The three types of mitigating controls are Physical, Technical, and Administrative. I first considered the technical control as the most important because hardware and software systems are used to protect assets such as firewalls and anti-virus software. I now believe administrative controls are most important because policies, procedures, and guidelines are needed in order to help with companies with security goals, and due to human error being considered one of the causes of data breach, security awareness training for employees would also fall under administrative controls.
I can relate to your thought process here where you thought the technical control was more appropiate but changed your mind once you took a wholistic view of how that control would be in practice. This question also challenged me to think that if say I was under a limited budget or had few resouces which control would I get the most “bang-for-the-buck”? I think you’ve done a great job of explaining why administrative controls return the most ROI because its accounts for and factors in the human component of security.
I agreed with you with regard to your stance on risk mitigating control. This is so because strengthening and adopting internal controls and measures suitable to target posed .And ensuring that any measures, policies, controls, and procedures are clearly documented, and where necessary, approved by the management of an organization.
Three types of risk mitigation controls as it pertains to information security would be Attack Resiliency, Incident Readiness, and Security Maturity. Out of the three, Security Maturity would be the most important of these controls. Vacca states that having a mature security program at one’s company makes it “necessary for other controls to be effective”. The security maturity program at a company establishes policies, plans, and trainings for employees. As we have previously learned, people are the most critical and constant security variable for a company. People remain the biggest loss vector when it comes to IT security. Establishing the rules and training for these employees creates a foundation of security and gives the company the best chance to create an engaged and security conscious workforce. Security Maturity controls also most closely align with the Administrative category of risk mitigation measures, which in addition would be the most important mitigation category of control (Physical, Technical, or Administrative) for the reasons stated above.
I am happy to read that you have also picked the security maturity from all of three risk controls. As Vacca explains as well, I think this method is powerful way to start the process of mitigation of the potential risks. In order to provide a really good security control system, security maturity must be robust in the organization. In addition, it makes sense that you combined the human factor on your post, which we learned and discussed in the previous chapter. Indeed, although we might have a good protection and response systems, it is very important to educate people first in the organizations.
The three categories of risk mitigating controls in any organization to ensure confidentiality, integrity and availability of information are Physical, Technical and Administrative. I think Technical is primarily regarded as the most suited control measure to ensure confidentiality, integrity and availability of information within an organization in order to ensure effectiveness in protecting the organization’s assets. This is so because using Technical controls such as security awareness training, technical controls such as firewalls and anti-virus software to prevent attack from penetrating the network to cause harm would be considered as the most vibrant and potent force within the mitigating control factors. And it is also being considered as most important because most government industry experts agree that security configuration management is probably the best way to ensure the best configuration allowable coupled with automated patch management and updating of anti-virus software.
Furthermore, using a mixture of technical controls such as intrusion detection system, system monitoring , file integrity monitoring and log management can help to track how and when system intrusions are being attempted.
I think technical controls are vital and heavily talked about in today’s environment of increasingly prevalent ransomware attacks and data breaches. However, I think it’s also important to note that if a company deploys cutting edge technical controls, but forget basic administrative or physical controls, it creates an easy access point for hackers. You could be checking all the boxes – edr, mfa, encryption, vpns, etc – but if you let anyone walk through the front door into the server room, that’s a security risk.
As it is illustrated in Computer and Information Security Handbook, Vacca explains migration controls to protect core assets as ‘attack resiliency’, ‘incident response’ and ‘security maturity’ (figure 24.1). I believe that the most important method is security maturity, because awareness in the organization, response and solution to the problem occurs with high standards and strong policies. No matter how strong your protection mechanisms against incidents are, or detecting the threads, these actions should be implemented into company culture as long term goals.
According to Vacca, any information system security program must be comprehensive and risk-based. Most importantly, depending on security maturity, the organization must be able to align these strategies with the organization’s, as he argues again (figure 24.3).
I agree security maturity is probably the most important and impactful. Attack resiliency and incident response are key to a secure environment, however as Vacca said if an organization does not evolve into a business-aligned strategy then they are creating a false sense of security.
The three types of risk mitigating controls are Physical, Technical, and Administrative. I don’t think it’s possible or prudent to prioritize any one control or deem it the most important as they must all work in concert to mitigate risk. That said, it’s not always possible to adequately invest in all of these areas and tradeoffs must happen. This is why maturity models are critical to evaluating risk and providing guidance on how organizations grow and adapt.
If forced, I would prioritize Administrative controls given that security is a business problem and humans are typically the source of most security issues. As stated by my classmates in other posts, this arguably provides the best ROI. The human element gives administrative controls the edge in this scenario and makes it slightly more important than the others.
I agree with you in that all three controls need to be viewed holistically and treated with care in order to create a secure environment. I attended a talk with some ex IBM pen testers (Phil Kibler and Dan Wilson) and found it interesting how they said while consulting with clients, clients often emphasized the great technical controls they had in place but would forget about simple physical controls. The number one way these pen testers would break into the client’s network was by walking through the front door then dropping a USB on the ground, and waiting for an employee to plug it into their machine.
Humans are definitely the source of most security issues and I agree the Administrative controls should be prioritized for the reasons you stated, as well as the business has to know its culture in order to properly assign/categorize controls.
Three types of risk mitigating controls are: Physical, Technical and Administrative. In my opinion, Administrative is the most important because it gives the most accurate representation of an organizations attitude towards information security: their approach to security education, training and awareness, as well as policies and rules that are set in place to protect against vulnerabilities (such as frequently changing passwords, two-factor authentication, RBAC, etc.). It also best encompasses the idea that information security is important to everyone at any and all levels in an organization. Since humans are the primary vector for loss when it relates to information security, having an important foundation (Administrative controls) can/will go a long way towards creating a less vulnerable environment, and makes the organization more prepared if/when a risk is exploited.
I agree with your statement that administrative is the most important. As you said, it gives the most accurate representation of an organizations attitude towards IS. The example you gave of frequently changing passwords reminds me of how my organization did away with that policy. It used to be that we would have to change our password every thirty days but now they left it up to each individual employee, which to me isn’t the best security pracitce.
Three types of risk mitigating controls include administrative, physical, and technical. I don’t think one is more important than another – more so I believe it is up to the organization to identify which type of mitigating controls are most important to support their nature of business. If organizations can properly assess their risk environment and accurately implement the necessary controls where needed this can allow them to optimize their resources and efforts in avoiding the most prevalent risk.
You are right. All of them need to be taken in consideration when doing a risk assessment plan and then the Audit plan. However, they need the controls, software, or other systems to be effective and efficient for the operation of the organization. If a software was installed incorrectly due to human errors, then it exposes the organization to thieves or hackers. Even though one is not more important than the other like you said, they need to train people properly depending on the nature of their business.
Technical controls are used at the most basic level. It is used to reduce vulnerabilities in both hardware and software. Automated software tools are utilized to protect these assets. Some examples of technical controls are; firewalls, anti-virus software, encryption, and intrusion detection & intrusion prevention systems. Moreover, Access Control Lists is another example of a common technical control. An ACL is essentially a list of permissions which specifies who has permission to access certain objects. In addition to that, what operations would be allowed from a selected object.
The second main type of mitigation control would be administrative. Administrative controls pertain to policies, procedures and guidelines that are conducive with the organization’s security goals. An example of this would be making a new hire review and acknowledge the security policy during the onboarding process. In turn, when a new hire acknowledges that security policy he or she can then be held accountable if they do not comply with it.
The third mitigation control type is physical controls. These are security measures that are implemented within a defined structure used to deter or prevent unauthorized access to sensitive material. These examples range from security guards, cc surveillance cameras, alarm systems, locked and dead bolted steel doors, and even biometrics.
I honestly think all three of these mitigation controls are all equally important to have in place. We have to understand that there is no such thing as 100% security. For that reason we need layers of security to increase the likelihood that a vulnerability cannot be exploited at any capacity of an organization that we are being tasked to protect.
I agree with the need to have all three controls and struggled with prioritizing only one for this question. I am curious about how people would approach this question from an investment perspective. Instead of selecting one priority to focus on, how would this group approach it from a budget perspective, i.e. what percentage of your budget would you spend across technical, physical, and administrative controls? Personally I would allocate the following: 50% Administrative, 30% Technical, 20% Physical.
Hi Joshua, I like the points you make as to why all mitigation controls are equally important. As I had mentioned in my comment, I considered technical the most important, and after going through what each control represents, administrative, in my opinion, was what I believe is the most important. However, each control plays an important role in managing levels of risk.
The three types of mitigating controls are Physical, Technical, and Administrative. Although the text-book answer I would consider Administrative Controls as likely the most important. This is because setting up policy & procedures is a foundation for later technical/physical control implementations. An example of this would be an access control policy that could not be technically established until dissemination of roles occurs. If access to a particular information system requires Role-Base Access Control (RBAC), then there must be policies & procedures to determine technical implantation. Not only does this make more sense, but it would also detail the training and documentation an individual would require in order to obtain the role for the system. Otherwise how would the organization be able to facilitate access controls in the first place?
I agree with you Michael. Having proper technical controls in place do help in maintaining a proper information security program; but there is simply little effect to these controls if there is not proper management/administration behind it. Policies and procedures ensure that personnel are following critical ISO/PCI/HIPAA standards necessary to the functionality of an organization. Without policies, there is no uniformity or structure to a program.
The three types of risk-mitigating controls that exist are Technical (Logical), Operational (Physical) and Administrative (management) mitigating controls. I believe all three mitigation controls complement each other, and it is totally difficult for one to be effectively implemented in isolation of the other.
Technical or logical controls are machine implemented controls. A technical control only becomes effective if infrastructure is physical protected from unauthorized access, use or interference. i.e., it is very easy to configure a CMDB server for asset management purposes if such a server is physically secure within the organization.
Secondly operational/physical controls will be effective in any organization if proper management or administrative controls i.e., policies, standards, procedures, roles, and responsibilities exist to establish guide and direct same. Lastly. technical controls are initiated, acquired, and implemented because of management approval/directives and nothing else. Likewise administrative processes i.e access control, review and termination will only work if and when adequate and effective technical controls exist to implement them.
Even though there is a school of thought that physical controls are the first and foremost line of defense and if not effective, others will fall, I am of the view that none is more important than the other because they all complement each other under the principle of defense in depth.
The three categorization for information security risk mitigation controls are physical controls, technical controls (also known as attack resiliency), and administrative controls. Out of the three, I would personally rate administrative controls as the highest of importance.
As stated in the Computer and Information Security Handbook, administrative controls hold information security together. Technical controls, such as implementation of IDS/IPS software, or the usage of network security protocol like SSL proxies, are efficient—but only when used properly. If there is not efficient hiring procedures to get the right personnel in place to keep an environment secure, or even if there is not proper training, the external technical controls can be, ultimately, rendered useless. Physical security controls such as monitoring data center access are also critical to maintaining system security; but an organization without proper management/administration lacks the essential security maturity needed for an Infosec program.
Hi Lauren I like your layered approach to the question and I didn’t really think of it this way. I suppose I approached it with a more “pie in the sky” perspective, where financial and employee resources are plentiful. But I do tend to agree with you I think it’s extremely important to establish tailored administrative controls to your organization. From there you can begin to deploy appropriate technical and physical controls through technologies to support the administrative controls.
I absolutely agree with you especially since I have witnessed this first hand. Currently, one of the things my organization struggles comes from the business side. As discussed in earlier chapters from Vacca; business would do well to understand IT; and vice versa. Instead; I see in different programs from my organization have the issue of onboarding and training new hires especially in the wake of the pandemic. There is also another issue of some programs (not all) not quite understanding the processes of the Risk Management Framework (RMF) and the requirements needed by personnel. Because of this; when we enter implementation phases quite frequently system engineers struggle.
The three types of risk mitigating controls are physical, technical, and administrative.
In my opinion, administrative is the most important because it deals with educating employees about risk mitigation strategies, and employees/people are the largest cause of risk/loss. Administrative risk mitigating also deals with policy and access controls, which are two of the other most important factors when it comes to risk control.
With that being said, physical and technical risk controls are both still necessary, and no system/network would be secure without all three.
Agreed Michael. Due to human error, employees being educated on risk mitigation on a regular basis should be part of the culture in the workplace. Holding regular trainings on risk policies and procedures is good to keep the information fresh. Also, when new employees start employment, they are initially made aware of risk mitigation strategies.
I agree with what you said that administrative control is the most secure. When it comes to personnel, people mean uncontrollable, which is the biggest cause of losses. The lack of security controls puts the confidentiality, integrity, and availability of information at risk. This requires strengthening management and monitoring of Administrative control. At the same time, pay attention to physical and technical risk control, which greatly reduces the probability of encountering risks and cultivates a good ability to deal with risks.
I agree in that all three controls are vital to preventing and mitigating an attack. However, you bring up a good point about how vital administrative controls are. People are the weakest link, and a common way hackers infiltrate a network is via phishing. If we are able to educate employees to stop clicking harmful links, it can reduce the likelihood of an attack.
Agreed Michael. Due to human error, employees being educated on risk mitigation on a regular basis should be part of the culture in the workplace. Holding regular trainings on risk policies and procedures is good to keep the information fresh. Also, when new employees start employment, they are initially made aware of risk mitigation strategies.
The 3 types of risk-mitigating controls are Physical, Technical, and Administrative.
Risk mitigation is achieved through the implementation of different types of security controls. The goal of countermeasures or guarantees determines the level of risk that needs to be reduced to the lowest level and the severity of the damage that the threat may cause.
The lack of security controls puts the confidentiality, integrity, and availability of information at risk. These risks also extend to the safety of people and assets within the organization. And Administrative is the most important because, in the corrective/detective/preventative three aspects, administrative controls have more efficient control functions. For example, hiring & termination policies and separation of duties. Involving personnel, it is necessary to strengthen management and monitoring of Administrative control.
I agree with you on the opinion of thinking administrative controls are the most important. Your point that administrative controls have more efficient and wider functions as far as the three aspects of correcting/detecting/preventing is a good one, because with proper education, even employees not specifying in IS can have a better idea of IS risks, preventive measures, and ways to correct past errors.
I think the recovery strategy is what drives the success of the plan. When people are in trouble because they have not created a recovery strategy that genuinely meets the needs identified in the BIA, this may also be because they did not conduct sufficiently rigorous recovery exercises to determine that their plan could truly restore business.
Physical risk mitigation means locking doors, not letting unauthorized people into the building or server rooms, having scan-in badge access, and more. Technical includes having VPNs, MFA, encryption, penetrating testing, and other important mitigation techniques in place. Administrative controls include role-based access, segregation of duties, and internal audits.
Hackers will always seek out the weakest link in your network. That means if you ignore one type of risk mitigating control, it will create a weakness for hackers to exploit. Ultimately, your corporate network is an ecosystem that you have to analyze holistically. If you are lacking in one type of control, you need to have mitigating controls in other areas so that you are able to prevent and limit any attacks on the network.
Hello Madalyn,
I completely agree with you on that “Hackers will always seek out the weakest link in your network”. All of the controls needs to be implemented equally to protect the network of the organization. However, I still think the most important one is the technical control because if that is not set properly then anyone around the world can remotely access the computer/servers within the organization.
What are 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
The three types of risk mitigating controls are Administrative, Technical and Physical. By definition the word mitigate means to make less severe or to lessen the gravity of, when we think about a business and its risks, having risk mitigations in place is crucial. For example, if we have a sever for our business, one risk/concern would be something happening to the server data, so we mitigate that risk by backing up the sever data. Yes we would be concerned that something happened to our server data but the gravity of the situation would be lessened as we had a backup of the data in place. I believe the Administrative mitigation controls are most important because the Administration steers the business and will decide what mitigating controls are needed from most essential down to not needed.
I agree that administrative controls are the most important of the 3 controls. Having guidelines set in place prevents employees from being careless with their devices and mitigates the greatest risks of data breaches. Human error is a leading cause of data breaches and raising security awareness and compliance belongs in the administrative section.
Hello Jason, I’m afraid I have to disagree that administrative controls are the most important. Even though everything starts and ends with policies in place, which creates all processes and procedures, I believe that no control can operate effectively in isolation, making each one equally important to another. Operational controls enable the implementation of logical controls, making it easy to create policies and procedures. On the other hand, no management control will work if physical controls are not put in place. In summary, the relationship is symbiotic, and one can work without the other.
In regards to information security, Vacca defines three different domains for mitigating risk: attack resiliency, incident readiness, and security maturity. Attack resiliency mitigates an organization’s risk through the implementation of strong technical controls. Incident readiness measures an organization’s detective controls in place, reducing risk for the organization by limiting a threat actor’s dwell-time through early detection in the event of a breach. Security maturity mitigates risk through implementing strong administrative policies and controls, which enable effective incident response. The goal of security maturity is to deter a threat actor from even selecting the business as a target in the first place. It ultimately will enable attack resiliency and incident readiness to thrive, and is therefore the most important risk mitigating control. Strong administrative policies in place will reduce the time of detection during incident response; it will be easier to trace internal attacks for example.
Interesting concept that bad guys will be deterred from pursuing a target because of security maturity. It sounds like a variant of ‘Peace Through Strength’ – certainly a viable strategy for consideration! I had always thought of it more from the perspective of – it costs the bad guys very little to try and they only have to get lucky once. The good guys need to be good (if not great) ALL the time and in most companies are considered a ‘pure cost’ in economic terms (not contributing to revenue generation). I like the idea that through Cyber preparedness you could diminish the probability of a Cyber event.
The three types of risk mitigating controls are: Physical, Technical and Administrative. In my opinion, Administrative is the most important because it sets the ground work for the other 2. It defines how the over-arching functions of an organization perform work. The Technical and Physical controls are more closely related to work execution.
There are 3 types of risk mitigations controls: Physical, Technical, and Administrative. Few of the example of Physical, Technical, and Administrative controls are:
– lock, gates, fences (Physical Control)
– Anti-virus software, Firewall, SIEM (Security Information and Event Management) (Technical Control)
– Segregation of Duties, Change Management, Training and Awareness (Administrative Control)
The one of the main purposes of the Information system is to be accessible when it is needed. The technical control ensures the system are available and are only accessible by the authorized user so I would consider the technical control to be the most important among other controls. Physical control only stop the unauthorized user from having a physical access to the information asset. If the information assets are secured using a technical control such as password protected, properly encrypting hard drives, and other technical controls in place then the physical security can be implemented afterwards. Additionally, if the information technology is not secure using a technical control, then it could be also accessible from anyone remotely. Administrative control only ensure the information technology program is well maintain and ensure if the segregation of duties, change management, and other administrative controls are in place. If the systems are not accessible then the administrative controls can’t be defined as an which user will need access to which resources, what types of training will be need to provide to end users.
Hello Patel. I beg to disagree with you that “If the systems are not accessible then the administrative controls can’t be defined as which user will need access to resources, what types of training will need to provide to end-users. Administrative controls, e.g., policies, procedures, standards, and guidelines, set the pace for creating logical and physical controls. In IT, everything and anything starts with a policy, without management buy-in, which is interpreted in controls; other risk mitigation objectives will not operate effectively. I am, however, of the view that they all complement each other
What are 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
The three types of mitigating risk control are physical, technical, and administrative. I believe that administrative risk mitigation is the most important of the three because procedures and policies need to be set in place. Not having these rules set in place could lead to employees being careless on their devices and putting the company at the risk of a data breach. While I do believe that physical and technical risk mitigation controls are important as well, human fault is one of the main causes of data breaches and dealing with employee awareness is an administrative control.
Hello Micheal. Well said. While I agree with you on the 3 types of mitigating controls, I do not in any way believe that one is more important than the other. My reason is based on the premise that no control can actually work in isolation without touching the other. For example, physical controls pave the way for technical controls to be properly implemented because if you lack physical security, logical control will not hold. Secondly, physical controls work better when infused with logical controls, i.e., access to a building being managed through a swipe card. . Lastly, administrative and logical controls can only be effectively enforced when physical controls and logical enhancements exist. They all rely on each other for proper and effective implementation
Business Impact Analysis. The BIA is one of the essential controls. To help the organization manage and control its risk, you should conduct regular BIAs. They should be current, comprehensive, and adequately assess the level of criticality in the continuity plan.
Recovery Strategy. Once you have the results from a good BIA, you can use them as the foundation for your second control, the Recovery Strategy. The strategy should reflect how quickly you need to recover the business unit and be fully implemented and validated.
Recovery Plan. The task here is to write a plan that comprehensively outlines the steps and actions you need to take to utilize the recovery strategy to recover the business unit and its critical processes.
The three types of risk mitigating controls are protect, detect, and respond. The most important risk mitigating control is to protect. If the organization is protective and so are the employees the chances of having any incidents from are occurring will lower as opposed to focusing on responding to incidents. It is always best to keep a breach from occurring then to be monitoring and responding to a breach.
What are 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
The 3 types of risk mitigating controls are physical, technical, and administrative. A physical control is implementation of security measures to prevent unwanted access. Examples of physical controls are: security guards, IDs, cameras, and alarm systems. Technical controls are to reduce vulnerabilities in hardware/software. Examples are encryption, firewalls, and anti-malware software. Administrative security controls refer to policies, procedures, or guidelines that define personnel with organization’s security objectives/goals. Administrative risk mitigating control is the most important, this can be caused by a human error. Training for phishing attacks is in favor of administrative security control. For example, if a policy calls for an employee to not post unethical situations about the company, that could ruin an organization’s reputation. If you hear terrible things about the company, customers are going to stay away from that business. Additionally, training for phishing is needed for employees. A business who does not train their employees to look for malicious and suspicious attacks, can also ruin a business by taking sensitive and confidential information.
The three types of mitigating risk controls are physical, technical and administrative. I think that the most important control is administrative. Administrative is the most important control because it deals with the internal aspects of an organization. Employees, policies, guidelines and access control are all very important aspects of mitigating controls. By not having controls in place, the administrative risk can become a major problem for an organization. More than both technical and physical.
The three categories of risk mitigating controls are Physical, Technical and Administrative. Technical is considered as the most appropriate control measure to promote constant flow of information within an organization in protecting any harmful attack that might cause the organizations to lose some assets. The reason being that making use of technical controls such as security awareness training, technical controls such as firewalls and anti-virus software to avert any serious attack from penetrating the network to do harm would be considered as the most powerful and potent force within the mitigating control factors. And it is seen as most essential factor because most industry experts had reached a conclusion that security configuration management is basically the best way to maintain the best configuration allowable coupled with automated patch management and updating of anti-virus software. Applying a mixture of technical controls such as intrusion detection system, system monitoring, file integrity monitoring and log management can help to track how and when system intrusions are being attempted.
Three types of risk-mitigating controls are physical, technical, and administrative. I would highlight administrative as the most important because this control addresses some of the most high-impact vulnerabilities within an organization, such as role-based access control, separation of duties, and change management. These are areas that I have seen attribute to failed security programs when incorrectly implemented.
The Computer and Information Security Handbook outlines the three areas of focus for mitigating risk: Attack Resiliency, Incident Readiness, and Security Maturity. Each of these areas is overarching of many underlying support controls. Out of the three identified by Vacca, security maturity encompasses many administrative risk mitigation controls. These controls seek to align best with the overall business strategy, promote shared security responsibility across the organization through awareness and policy, and, lastly, develop incident response capabilities for the inevitable attack.
Vacca, J., 2017. Computer and Information Security Handbook. 3rd ed. Cambridge: Morgan Kaufmann.
The three type of mitigating controls are Attack Resiliency, Incident Readiness and Security Maturity. I believe the most important is Security maturity because it’s related to all methods, plans, goal objectives an organization not just the IT department must follow to be sure that all their data are well protected. As it implies the word Maturity, this control helps in the company risk decision making, setting policies and standards that are comprehensible and make sense to everybody, implementing strong procedures and restricted data that allow and authorize access to certain people at some levels. To be more specific, the Security Maturity control is very beneficial to help a company use the four detailed risk assessment approach plan such as Identify, Detect, Protect and React to maintain and monitor their information security system. Most companies get attacked easily because they only focus on one security software as they need to be aware that one insecure system can affect the entire organization system.
Ornella,
Because Security Maturity encompasses sets the policies and standards like you mentioned, it is the control that has the most to do with the people of an organization. Setting these policies and standards and making sure the employees understand them becomes very important. As we have learned before from Vacca, people are the singles biggest source of loss. This is mainly due to negligence and not maliciousness. Security Maturity becomes the control that must be established first, before any of the other controls can be implemented effectively.
The 3 types of risk mitigating controls are: Physical, Technical, and Administrative. Administrative is the most important. Why? Because this threat is generated from the internal employees. All hardware and software tools are susceptible to human behavior. It’s really critical to stop this type of insider attack by securing sensitive information from being stolen or being modified. Thus administrative mitigation control is hugely important
Administrative plays a significant role because people make researches, identify, install and configure manually. Most of the time breaches happen due to mistakes or errors from incorrect codes or procedures entered by human. Definitely, I agree with your answer but you could have given more examples of why you chose this risk mitigation.
Please see the the Risk mitigating controls: (with example)
1. Physical :
Physical security we need to provide safety in physical environment like security guard, CCTV Cameras, ID Cards, Biometric Authentication, proximity sensor etc.
2. Technical:
In technical mitigating we can use inhibit attempts to violate security policies, such as authentication, authorization ,a Access Control Enforcement, Non-repudiation(digital certificate. )
3. Administrative:
When vulnerability increase that time layered protection, architectural designs with administrative control is minimize the risk on very high level.
The 3 types of risk-mitigating controls are physical, technical, and administrative. Physical controls can include security for entering a building, locks on the server room, or even cameras. Technical controls might include firewalls, intrusion detection systems, or antivirus software. Administrative controls deal with policies, plans, and access rights. To elaborate identity and access management is a large part of administrative controls. As stated by Vacca “Identity and Access Management (IAM) involves tracking the behavior and actions of each individual and assets in the IT environment, specifically your system administrators and mission-critical assets.” IAM is a key foundation to administrative controls as are security policies and plans. Without the support of upper management, the policies and plans are on track to fail. Due to these reasons, I support administrative controls to be the most important.
Source: Vacca, J. R. (2017). Computer and information security handbook (3rd ed.).
Hi Dhaval,
I argee with your position here that without the support from upper management a security program is doomed to fail. Many security tools and alert settings are tuned with out-of-the box detection rules and these often fail to account for behavioral threats to information security. To that end, your highlighting of the importance of Identity and Access Management controls is an excellent supporting arguement as to why Administrative controls are the most important.
Kelly
I agreed with you that administrative controls deals with actions and policies to manage the selection, development , implementation , and maintenance of security measures to protect an organizational assets, information and manage the conduct of the covered entity’s force in relation to the protection of those assets and that information within an organization.
I liked how you gave us examples of each risk control. First, I did not understand why administrative risk control was the most important but will all the responses including yours made me realize that humans are again the vector of organization loss. We are the one bringing money to the organization but we are also exposing them at risk with system errors or mistakes. Misconfiguration always lead to data breaches. What risk control would you pick as the second most important and why?
The three types of mitigating controls are Physical, Technical, and Administrative. I first considered the technical control as the most important because hardware and software systems are used to protect assets such as firewalls and anti-virus software. I now believe administrative controls are most important because policies, procedures, and guidelines are needed in order to help with companies with security goals, and due to human error being considered one of the causes of data breach, security awareness training for employees would also fall under administrative controls.
Hi Chris,
I can relate to your thought process here where you thought the technical control was more appropiate but changed your mind once you took a wholistic view of how that control would be in practice. This question also challenged me to think that if say I was under a limited budget or had few resouces which control would I get the most “bang-for-the-buck”? I think you’ve done a great job of explaining why administrative controls return the most ROI because its accounts for and factors in the human component of security.
Kelly
I agreed with you with regard to your stance on risk mitigating control. This is so because strengthening and adopting internal controls and measures suitable to target posed .And ensuring that any measures, policies, controls, and procedures are clearly documented, and where necessary, approved by the management of an organization.
Three types of risk mitigation controls as it pertains to information security would be Attack Resiliency, Incident Readiness, and Security Maturity. Out of the three, Security Maturity would be the most important of these controls. Vacca states that having a mature security program at one’s company makes it “necessary for other controls to be effective”. The security maturity program at a company establishes policies, plans, and trainings for employees. As we have previously learned, people are the most critical and constant security variable for a company. People remain the biggest loss vector when it comes to IT security. Establishing the rules and training for these employees creates a foundation of security and gives the company the best chance to create an engaged and security conscious workforce. Security Maturity controls also most closely align with the Administrative category of risk mitigation measures, which in addition would be the most important mitigation category of control (Physical, Technical, or Administrative) for the reasons stated above.
Hello Ryan,
I am happy to read that you have also picked the security maturity from all of three risk controls. As Vacca explains as well, I think this method is powerful way to start the process of mitigation of the potential risks. In order to provide a really good security control system, security maturity must be robust in the organization. In addition, it makes sense that you combined the human factor on your post, which we learned and discussed in the previous chapter. Indeed, although we might have a good protection and response systems, it is very important to educate people first in the organizations.
The three categories of risk mitigating controls in any organization to ensure confidentiality, integrity and availability of information are Physical, Technical and Administrative. I think Technical is primarily regarded as the most suited control measure to ensure confidentiality, integrity and availability of information within an organization in order to ensure effectiveness in protecting the organization’s assets. This is so because using Technical controls such as security awareness training, technical controls such as firewalls and anti-virus software to prevent attack from penetrating the network to cause harm would be considered as the most vibrant and potent force within the mitigating control factors. And it is also being considered as most important because most government industry experts agree that security configuration management is probably the best way to ensure the best configuration allowable coupled with automated patch management and updating of anti-virus software.
Furthermore, using a mixture of technical controls such as intrusion detection system, system monitoring , file integrity monitoring and log management can help to track how and when system intrusions are being attempted.
Hi Kofi,
I think technical controls are vital and heavily talked about in today’s environment of increasingly prevalent ransomware attacks and data breaches. However, I think it’s also important to note that if a company deploys cutting edge technical controls, but forget basic administrative or physical controls, it creates an easy access point for hackers. You could be checking all the boxes – edr, mfa, encryption, vpns, etc – but if you let anyone walk through the front door into the server room, that’s a security risk.
As it is illustrated in Computer and Information Security Handbook, Vacca explains migration controls to protect core assets as ‘attack resiliency’, ‘incident response’ and ‘security maturity’ (figure 24.1). I believe that the most important method is security maturity, because awareness in the organization, response and solution to the problem occurs with high standards and strong policies. No matter how strong your protection mechanisms against incidents are, or detecting the threads, these actions should be implemented into company culture as long term goals.
According to Vacca, any information system security program must be comprehensive and risk-based. Most importantly, depending on security maturity, the organization must be able to align these strategies with the organization’s, as he argues again (figure 24.3).
I agree security maturity is probably the most important and impactful. Attack resiliency and incident response are key to a secure environment, however as Vacca said if an organization does not evolve into a business-aligned strategy then they are creating a false sense of security.
The three types of risk mitigating controls are Physical, Technical, and Administrative. I don’t think it’s possible or prudent to prioritize any one control or deem it the most important as they must all work in concert to mitigate risk. That said, it’s not always possible to adequately invest in all of these areas and tradeoffs must happen. This is why maturity models are critical to evaluating risk and providing guidance on how organizations grow and adapt.
If forced, I would prioritize Administrative controls given that security is a business problem and humans are typically the source of most security issues. As stated by my classmates in other posts, this arguably provides the best ROI. The human element gives administrative controls the edge in this scenario and makes it slightly more important than the others.
Hi Matthew,
I agree with you in that all three controls need to be viewed holistically and treated with care in order to create a secure environment. I attended a talk with some ex IBM pen testers (Phil Kibler and Dan Wilson) and found it interesting how they said while consulting with clients, clients often emphasized the great technical controls they had in place but would forget about simple physical controls. The number one way these pen testers would break into the client’s network was by walking through the front door then dropping a USB on the ground, and waiting for an employee to plug it into their machine.
Humans are definitely the source of most security issues and I agree the Administrative controls should be prioritized for the reasons you stated, as well as the business has to know its culture in order to properly assign/categorize controls.
Three types of risk mitigating controls are: Physical, Technical and Administrative. In my opinion, Administrative is the most important because it gives the most accurate representation of an organizations attitude towards information security: their approach to security education, training and awareness, as well as policies and rules that are set in place to protect against vulnerabilities (such as frequently changing passwords, two-factor authentication, RBAC, etc.). It also best encompasses the idea that information security is important to everyone at any and all levels in an organization. Since humans are the primary vector for loss when it relates to information security, having an important foundation (Administrative controls) can/will go a long way towards creating a less vulnerable environment, and makes the organization more prepared if/when a risk is exploited.
Hi Andrew,
I agree with your statement that administrative is the most important. As you said, it gives the most accurate representation of an organizations attitude towards IS. The example you gave of frequently changing passwords reminds me of how my organization did away with that policy. It used to be that we would have to change our password every thirty days but now they left it up to each individual employee, which to me isn’t the best security pracitce.
Three types of risk mitigating controls include administrative, physical, and technical. I don’t think one is more important than another – more so I believe it is up to the organization to identify which type of mitigating controls are most important to support their nature of business. If organizations can properly assess their risk environment and accurately implement the necessary controls where needed this can allow them to optimize their resources and efforts in avoiding the most prevalent risk.
Hi Bryan,
You are right. All of them need to be taken in consideration when doing a risk assessment plan and then the Audit plan. However, they need the controls, software, or other systems to be effective and efficient for the operation of the organization. If a software was installed incorrectly due to human errors, then it exposes the organization to thieves or hackers. Even though one is not more important than the other like you said, they need to train people properly depending on the nature of their business.
There are 3 main types of mitigation controls:
Technical controls are used at the most basic level. It is used to reduce vulnerabilities in both hardware and software. Automated software tools are utilized to protect these assets. Some examples of technical controls are; firewalls, anti-virus software, encryption, and intrusion detection & intrusion prevention systems. Moreover, Access Control Lists is another example of a common technical control. An ACL is essentially a list of permissions which specifies who has permission to access certain objects. In addition to that, what operations would be allowed from a selected object.
The second main type of mitigation control would be administrative. Administrative controls pertain to policies, procedures and guidelines that are conducive with the organization’s security goals. An example of this would be making a new hire review and acknowledge the security policy during the onboarding process. In turn, when a new hire acknowledges that security policy he or she can then be held accountable if they do not comply with it.
The third mitigation control type is physical controls. These are security measures that are implemented within a defined structure used to deter or prevent unauthorized access to sensitive material. These examples range from security guards, cc surveillance cameras, alarm systems, locked and dead bolted steel doors, and even biometrics.
I honestly think all three of these mitigation controls are all equally important to have in place. We have to understand that there is no such thing as 100% security. For that reason we need layers of security to increase the likelihood that a vulnerability cannot be exploited at any capacity of an organization that we are being tasked to protect.
I agree with the need to have all three controls and struggled with prioritizing only one for this question. I am curious about how people would approach this question from an investment perspective. Instead of selecting one priority to focus on, how would this group approach it from a budget perspective, i.e. what percentage of your budget would you spend across technical, physical, and administrative controls? Personally I would allocate the following: 50% Administrative, 30% Technical, 20% Physical.
Hi Joshua, I like the points you make as to why all mitigation controls are equally important. As I had mentioned in my comment, I considered technical the most important, and after going through what each control represents, administrative, in my opinion, was what I believe is the most important. However, each control plays an important role in managing levels of risk.
The three types of mitigating controls are Physical, Technical, and Administrative. Although the text-book answer I would consider Administrative Controls as likely the most important. This is because setting up policy & procedures is a foundation for later technical/physical control implementations. An example of this would be an access control policy that could not be technically established until dissemination of roles occurs. If access to a particular information system requires Role-Base Access Control (RBAC), then there must be policies & procedures to determine technical implantation. Not only does this make more sense, but it would also detail the training and documentation an individual would require in order to obtain the role for the system. Otherwise how would the organization be able to facilitate access controls in the first place?
I agree with you Michael. Having proper technical controls in place do help in maintaining a proper information security program; but there is simply little effect to these controls if there is not proper management/administration behind it. Policies and procedures ensure that personnel are following critical ISO/PCI/HIPAA standards necessary to the functionality of an organization. Without policies, there is no uniformity or structure to a program.
The three types of risk-mitigating controls that exist are Technical (Logical), Operational (Physical) and Administrative (management) mitigating controls. I believe all three mitigation controls complement each other, and it is totally difficult for one to be effectively implemented in isolation of the other.
Technical or logical controls are machine implemented controls. A technical control only becomes effective if infrastructure is physical protected from unauthorized access, use or interference. i.e., it is very easy to configure a CMDB server for asset management purposes if such a server is physically secure within the organization.
Secondly operational/physical controls will be effective in any organization if proper management or administrative controls i.e., policies, standards, procedures, roles, and responsibilities exist to establish guide and direct same. Lastly. technical controls are initiated, acquired, and implemented because of management approval/directives and nothing else. Likewise administrative processes i.e access control, review and termination will only work if and when adequate and effective technical controls exist to implement them.
Even though there is a school of thought that physical controls are the first and foremost line of defense and if not effective, others will fall, I am of the view that none is more important than the other because they all complement each other under the principle of defense in depth.
The three categorization for information security risk mitigation controls are physical controls, technical controls (also known as attack resiliency), and administrative controls. Out of the three, I would personally rate administrative controls as the highest of importance.
As stated in the Computer and Information Security Handbook, administrative controls hold information security together. Technical controls, such as implementation of IDS/IPS software, or the usage of network security protocol like SSL proxies, are efficient—but only when used properly. If there is not efficient hiring procedures to get the right personnel in place to keep an environment secure, or even if there is not proper training, the external technical controls can be, ultimately, rendered useless. Physical security controls such as monitoring data center access are also critical to maintaining system security; but an organization without proper management/administration lacks the essential security maturity needed for an Infosec program.
Hi Lauren I like your layered approach to the question and I didn’t really think of it this way. I suppose I approached it with a more “pie in the sky” perspective, where financial and employee resources are plentiful. But I do tend to agree with you I think it’s extremely important to establish tailored administrative controls to your organization. From there you can begin to deploy appropriate technical and physical controls through technologies to support the administrative controls.
Hi Lauren,
I absolutely agree with you especially since I have witnessed this first hand. Currently, one of the things my organization struggles comes from the business side. As discussed in earlier chapters from Vacca; business would do well to understand IT; and vice versa. Instead; I see in different programs from my organization have the issue of onboarding and training new hires especially in the wake of the pandemic. There is also another issue of some programs (not all) not quite understanding the processes of the Risk Management Framework (RMF) and the requirements needed by personnel. Because of this; when we enter implementation phases quite frequently system engineers struggle.
The three types of risk mitigating controls are physical, technical, and administrative.
In my opinion, administrative is the most important because it deals with educating employees about risk mitigation strategies, and employees/people are the largest cause of risk/loss. Administrative risk mitigating also deals with policy and access controls, which are two of the other most important factors when it comes to risk control.
With that being said, physical and technical risk controls are both still necessary, and no system/network would be secure without all three.
Agreed Michael. Due to human error, employees being educated on risk mitigation on a regular basis should be part of the culture in the workplace. Holding regular trainings on risk policies and procedures is good to keep the information fresh. Also, when new employees start employment, they are initially made aware of risk mitigation strategies.
Hi Michael,
I agree with what you said that administrative control is the most secure. When it comes to personnel, people mean uncontrollable, which is the biggest cause of losses. The lack of security controls puts the confidentiality, integrity, and availability of information at risk. This requires strengthening management and monitoring of Administrative control. At the same time, pay attention to physical and technical risk control, which greatly reduces the probability of encountering risks and cultivates a good ability to deal with risks.
I agree in that all three controls are vital to preventing and mitigating an attack. However, you bring up a good point about how vital administrative controls are. People are the weakest link, and a common way hackers infiltrate a network is via phishing. If we are able to educate employees to stop clicking harmful links, it can reduce the likelihood of an attack.
Agreed Michael. Due to human error, employees being educated on risk mitigation on a regular basis should be part of the culture in the workplace. Holding regular trainings on risk policies and procedures is good to keep the information fresh. Also, when new employees start employment, they are initially made aware of risk mitigation strategies.
The 3 types of risk-mitigating controls are Physical, Technical, and Administrative.
Risk mitigation is achieved through the implementation of different types of security controls. The goal of countermeasures or guarantees determines the level of risk that needs to be reduced to the lowest level and the severity of the damage that the threat may cause.
The lack of security controls puts the confidentiality, integrity, and availability of information at risk. These risks also extend to the safety of people and assets within the organization. And Administrative is the most important because, in the corrective/detective/preventative three aspects, administrative controls have more efficient control functions. For example, hiring & termination policies and separation of duties. Involving personnel, it is necessary to strengthen management and monitoring of Administrative control.
Dan,
I agree with you on the opinion of thinking administrative controls are the most important. Your point that administrative controls have more efficient and wider functions as far as the three aspects of correcting/detecting/preventing is a good one, because with proper education, even employees not specifying in IS can have a better idea of IS risks, preventive measures, and ways to correct past errors.
-Mike
I think the recovery strategy is what drives the success of the plan. When people are in trouble because they have not created a recovery strategy that genuinely meets the needs identified in the BIA, this may also be because they did not conduct sufficiently rigorous recovery exercises to determine that their plan could truly restore business.
Physical risk mitigation means locking doors, not letting unauthorized people into the building or server rooms, having scan-in badge access, and more. Technical includes having VPNs, MFA, encryption, penetrating testing, and other important mitigation techniques in place. Administrative controls include role-based access, segregation of duties, and internal audits.
Hackers will always seek out the weakest link in your network. That means if you ignore one type of risk mitigating control, it will create a weakness for hackers to exploit. Ultimately, your corporate network is an ecosystem that you have to analyze holistically. If you are lacking in one type of control, you need to have mitigating controls in other areas so that you are able to prevent and limit any attacks on the network.
Hello Madalyn,
I completely agree with you on that “Hackers will always seek out the weakest link in your network”. All of the controls needs to be implemented equally to protect the network of the organization. However, I still think the most important one is the technical control because if that is not set properly then anyone around the world can remotely access the computer/servers within the organization.
What are 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
The three types of risk mitigating controls are Administrative, Technical and Physical. By definition the word mitigate means to make less severe or to lessen the gravity of, when we think about a business and its risks, having risk mitigations in place is crucial. For example, if we have a sever for our business, one risk/concern would be something happening to the server data, so we mitigate that risk by backing up the sever data. Yes we would be concerned that something happened to our server data but the gravity of the situation would be lessened as we had a backup of the data in place. I believe the Administrative mitigation controls are most important because the Administration steers the business and will decide what mitigating controls are needed from most essential down to not needed.
Hi Jason,
I agree that administrative controls are the most important of the 3 controls. Having guidelines set in place prevents employees from being careless with their devices and mitigates the greatest risks of data breaches. Human error is a leading cause of data breaches and raising security awareness and compliance belongs in the administrative section.
Hello Jason, I’m afraid I have to disagree that administrative controls are the most important. Even though everything starts and ends with policies in place, which creates all processes and procedures, I believe that no control can operate effectively in isolation, making each one equally important to another. Operational controls enable the implementation of logical controls, making it easy to create policies and procedures. On the other hand, no management control will work if physical controls are not put in place. In summary, the relationship is symbiotic, and one can work without the other.
In regards to information security, Vacca defines three different domains for mitigating risk: attack resiliency, incident readiness, and security maturity. Attack resiliency mitigates an organization’s risk through the implementation of strong technical controls. Incident readiness measures an organization’s detective controls in place, reducing risk for the organization by limiting a threat actor’s dwell-time through early detection in the event of a breach. Security maturity mitigates risk through implementing strong administrative policies and controls, which enable effective incident response. The goal of security maturity is to deter a threat actor from even selecting the business as a target in the first place. It ultimately will enable attack resiliency and incident readiness to thrive, and is therefore the most important risk mitigating control. Strong administrative policies in place will reduce the time of detection during incident response; it will be easier to trace internal attacks for example.
Interesting concept that bad guys will be deterred from pursuing a target because of security maturity. It sounds like a variant of ‘Peace Through Strength’ – certainly a viable strategy for consideration! I had always thought of it more from the perspective of – it costs the bad guys very little to try and they only have to get lucky once. The good guys need to be good (if not great) ALL the time and in most companies are considered a ‘pure cost’ in economic terms (not contributing to revenue generation). I like the idea that through Cyber preparedness you could diminish the probability of a Cyber event.
The three types of risk mitigating controls are: Physical, Technical and Administrative. In my opinion, Administrative is the most important because it sets the ground work for the other 2. It defines how the over-arching functions of an organization perform work. The Technical and Physical controls are more closely related to work execution.
There are 3 types of risk mitigations controls: Physical, Technical, and Administrative. Few of the example of Physical, Technical, and Administrative controls are:
– lock, gates, fences (Physical Control)
– Anti-virus software, Firewall, SIEM (Security Information and Event Management) (Technical Control)
– Segregation of Duties, Change Management, Training and Awareness (Administrative Control)
The one of the main purposes of the Information system is to be accessible when it is needed. The technical control ensures the system are available and are only accessible by the authorized user so I would consider the technical control to be the most important among other controls. Physical control only stop the unauthorized user from having a physical access to the information asset. If the information assets are secured using a technical control such as password protected, properly encrypting hard drives, and other technical controls in place then the physical security can be implemented afterwards. Additionally, if the information technology is not secure using a technical control, then it could be also accessible from anyone remotely. Administrative control only ensure the information technology program is well maintain and ensure if the segregation of duties, change management, and other administrative controls are in place. If the systems are not accessible then the administrative controls can’t be defined as an which user will need access to which resources, what types of training will be need to provide to end users.
Hello Patel. I beg to disagree with you that “If the systems are not accessible then the administrative controls can’t be defined as which user will need access to resources, what types of training will need to provide to end-users. Administrative controls, e.g., policies, procedures, standards, and guidelines, set the pace for creating logical and physical controls. In IT, everything and anything starts with a policy, without management buy-in, which is interpreted in controls; other risk mitigation objectives will not operate effectively. I am, however, of the view that they all complement each other
What are 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
The three types of mitigating risk control are physical, technical, and administrative. I believe that administrative risk mitigation is the most important of the three because procedures and policies need to be set in place. Not having these rules set in place could lead to employees being careless on their devices and putting the company at the risk of a data breach. While I do believe that physical and technical risk mitigation controls are important as well, human fault is one of the main causes of data breaches and dealing with employee awareness is an administrative control.
Hello Micheal. Well said. While I agree with you on the 3 types of mitigating controls, I do not in any way believe that one is more important than the other. My reason is based on the premise that no control can actually work in isolation without touching the other. For example, physical controls pave the way for technical controls to be properly implemented because if you lack physical security, logical control will not hold. Secondly, physical controls work better when infused with logical controls, i.e., access to a building being managed through a swipe card. . Lastly, administrative and logical controls can only be effectively enforced when physical controls and logical enhancements exist. They all rely on each other for proper and effective implementation
Business Impact Analysis. The BIA is one of the essential controls. To help the organization manage and control its risk, you should conduct regular BIAs. They should be current, comprehensive, and adequately assess the level of criticality in the continuity plan.
Recovery Strategy. Once you have the results from a good BIA, you can use them as the foundation for your second control, the Recovery Strategy. The strategy should reflect how quickly you need to recover the business unit and be fully implemented and validated.
Recovery Plan. The task here is to write a plan that comprehensively outlines the steps and actions you need to take to utilize the recovery strategy to recover the business unit and its critical processes.
The three types of risk mitigating controls are protect, detect, and respond. The most important risk mitigating control is to protect. If the organization is protective and so are the employees the chances of having any incidents from are occurring will lower as opposed to focusing on responding to incidents. It is always best to keep a breach from occurring then to be monitoring and responding to a breach.
What are 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
The 3 types of risk mitigating controls are physical, technical, and administrative. A physical control is implementation of security measures to prevent unwanted access. Examples of physical controls are: security guards, IDs, cameras, and alarm systems. Technical controls are to reduce vulnerabilities in hardware/software. Examples are encryption, firewalls, and anti-malware software. Administrative security controls refer to policies, procedures, or guidelines that define personnel with organization’s security objectives/goals. Administrative risk mitigating control is the most important, this can be caused by a human error. Training for phishing attacks is in favor of administrative security control. For example, if a policy calls for an employee to not post unethical situations about the company, that could ruin an organization’s reputation. If you hear terrible things about the company, customers are going to stay away from that business. Additionally, training for phishing is needed for employees. A business who does not train their employees to look for malicious and suspicious attacks, can also ruin a business by taking sensitive and confidential information.
The three types of mitigating risk controls are physical, technical and administrative. I think that the most important control is administrative. Administrative is the most important control because it deals with the internal aspects of an organization. Employees, policies, guidelines and access control are all very important aspects of mitigating controls. By not having controls in place, the administrative risk can become a major problem for an organization. More than both technical and physical.
The three categories of risk mitigating controls are Physical, Technical and Administrative. Technical is considered as the most appropriate control measure to promote constant flow of information within an organization in protecting any harmful attack that might cause the organizations to lose some assets. The reason being that making use of technical controls such as security awareness training, technical controls such as firewalls and anti-virus software to avert any serious attack from penetrating the network to do harm would be considered as the most powerful and potent force within the mitigating control factors. And it is seen as most essential factor because most industry experts had reached a conclusion that security configuration management is basically the best way to maintain the best configuration allowable coupled with automated patch management and updating of anti-virus software. Applying a mixture of technical controls such as intrusion detection system, system monitoring, file integrity monitoring and log management can help to track how and when system intrusions are being attempted.