The 3 types of risk mitigating controls are physical, administrative, and technical controls. The most important mitigating control out of the three is technical controls. The reason why the technical control is the most important type of risk mitigating control is because it encompasses wherever the data is located. For example, technical controls over cloud data are more important due to it’s not tangible and a physical control would not protect cloud data.
Hi Jill,
I do agree that technical controls are important, especially with your example of cloud data. However, I feel that administrative controls are also important when considering access to cloud data. Having proper technical controls is important to safeguard the data itself; however, having proper administrative controls safeguards individuals within the company from improperly accessing data or misusing the data stored.
Hello Jill,
You raised a good point by indicating that technical controls are the most important mitigating control. However, I honestly believe all these controls tend to work pretty good together because having good administrative controls will help better to utilize and use proper tools to implement those technical controls.
There are three types of risk. Physical risk, technical risk, and administrative risk. These risks can typically be mitigated by types of controls i.e., detection and deterrence. For example, physical, deterrent-based mitigation controls can be a security guard or a fence. Whereas a camera or motion-activated spotlight would be detection-based mitigation control. Technical can also be viewed as detection and deterrent. Detection would be intrusion detection systems and honeypots. Whereas configuring workstations to require passwords for logins would be a deterrent. Lastly, there’s administrative which encompasses policies and procedures as well as security education, training, and awareness (SETA). I personally believe all of these mitigation controls piggyback off one another. If you have too much of one and less of another, you create vulnerabilities.
If I had to pick a specific control, it would be administrative controls. The reason I think administrative controls are most important is due to the polices an organization can set to guide their user population on rights and wrongs as well as dos and don’ts. Policies and procedures tell people exactly what is and isn’t appropriate. A good majority of attacks are conducted against people. People are looked at as inherently less secure than a company’s physical or technical infrastructure. If more attacks are targeted at people, it is important that administrative controls are clearly outlined. The reading states “Entering and accessing information systems to any degree within any organization must be controlled. What’s more, it is necessary to understand what is allowed and what’s not; if those parameters are clearly defined, the battle is half won.” It’s equally important to educate those users once policies have been read, understood, and signed. The reading states “Computer users in every organization, school, or agency are a critical aspect to the defense and protection of sensitive data and secure operations. Users can quickly become the Achilles heel of any security organization because there is no predicting how they will behave given a certain set of circumstances.” If your audience is both informed of dos and don’ts from a policy standpoint. As well as how to protect both themselves and the business from threats the company can then lean less heavily on physical and technical controls to mitigate risk.
Hey Nicholas,
I agree with your choice of administrative controls. Your examples from the text regarding the control of information flow anywhere in the organization highlight the importance of administrative controls. I also agree with your statement that anyone in an organization can result in an incident and as such user training and making sure that all employees understand company policies is essential.
I have to disagree with your choice of the administrative control as the most important. I don’t think your reasoning is wrong, per se, just i don;t think you can really say one type of control is more important than the others, They have to work together. Only by having all three types of controls overlapping, can you be truly secure.
I 100% agree that you need a healthy balance of all 3 controls in order to be effective. As I stated in my post “I personally believe all of these mitigation controls piggyback off one another. If you have too much of one and less of another, you create vulnerabilities.” I only chose one specifically and stated my case as to why due to the way the question was formatted.
The three types of risk mitigating controls are: Physical Controls, Technical Controls, and Administrative Controls. Physical Controls includes security guards, identification cards, alarm systems, etc. Technical Controls include Access Control Lists (ACLs), Intrusion Detection System (IDS), encryption and many others. Administrative Controls includes user training, policies and procedures, and security awareness training.
I honestly believe that Administrative Controls is the most critical mitigating factor for several reasons. An organization may have good technical controls in place, but it does not serve a good purpose if it’s not configured properly. So, administrative controls serve a major purpose by providing policies and procedures that must be followed when implementing these technical controls. It also provides user and security awareness training to ensure that every employee, whether you are in the IT department or not, has the knowledge to detect or identify a potential threat. At the end of the day, you want to make sure that the business side aligns with the technical side while done right.
The three primary types of risk mitigation are physical, technical, and administrative. Physical, Physical controls either address a risk or control in the physical realm, that is things you can touch. Examples include locks, guards, and cameras. Technical controls address software and computer systems. These are probably the ones people think of most often: firewalls, anti-malware, OS configuration, and IDS systems. Administrative controls are more about behavior. They include things like policies, security training, and the overall culture and posture of a company or system.
I wouldn’t say that any one is clearly the most important overall. Each type of control is situational and addresses one part of the whole. Without all three types of controls, you cannot have full security coverage. Take the data on a server: physical controls will ensure no one can steal the hard drive, technical controls will ensure that only authorized individuals can access the data, and administrative controls will ensure that the data is not accidentally leaked.
Hey David,
I agree with your opinion that all controls are important. Regardless of how well thought-out an administrative policy is, it needs to be supported by strong technical and physical controls to facilitate proper usage of company systems. In contrast, only strong technical controls can be exploited by weak physical controls or by any employee not understanding how to secure data in movement or standing. And again with physical controls, if a system is easily hackable or is not supported by proper company policies than it doesn’t matter how strong the physical controls are.
I agree with you that one control isn’t clearly more important than the others in that in depends on the situation. I didnt think of it from that point of view but is a great point of view. I also agree that you need all three types of controls to have full coverage.
Like so many things in security, you can’t just pick a single control, implement it, and call your work done. It requires overlapping and reinforcing controls to build a solid defense in depth strategy. The metaphor of the castle with multiple layers of walls, locking doors, roaming guards, and a moat is a good metaphor because it really shows the way that overlapping protection are stronger than they would be in isolation.
Hi Dave,
I agree with your assessment. Your metaphor describes perfectly the “defense in depth” concept. In order to adequately safeguard the confidentiality, integrity and availability of data and information assets, all of these countermeasures must be in place. This includes the physical access and security controls, network security controls, administrative controls/policies and procedures, logical access controls, etc. Another similar concept is part of a strong enterprise risk management function such as the three lines of defense model which includes the business function as the first line of the defense in an organization as they are responsible for their business process and risk mitigation, the compliance or quality assurance function which serves as the second line of defense and the internal audit function which serves as the third and last line of defense in an organization.
Risk mitigating controls fall into three main categories: physical, technical, and administrative. Physical controls consist of physical access controls such as locked doors and man traps, motion detectors, and environmental controls such as heating and cooling systems. Physical controls protect the physical equipment. Technical controls protect the software, applications, networks, and operating systems. Examples of technical controls include antivirus software, multifactor authentication including passwords and biometric data and intrusion detection systems. Lastly, administrative controls are the governing controls and set the policies and “tone at the top”. Examples of administrative controls include acceptable use policies, password requirements, role based access and implementing segregation of duties.
All of these controls are critical to ensuring the security of the systems and thereby protecting the confidentiality, integrity and availability of the data. If I had to pick one category, I would select the administrative control functions as they set the expectation and the requirements for which the other controls are based. For example you can implement physical controls such as locked doors and card reader access, but if there is not a policy explaining the roles and responsibilities of the humans, these controls could be bypassed such as the case of piggybacking or just allowing someone access without checking their id if a door is under card reader access, or not safeguarding your pin number if that is another physical access control. If a technical control includes the use of antivirus software, but there is no patching policy to outline the requirements for implementing patches including frequency, timeliness and consideration of severity level of the vulnerability, the anti virus software could be rendered ineffective or not as effective as it could be. In short, the administrative policies set the tone for the organization by the leadership and serve to strengthen the overall control environment by enhancing the existing physical and technical controls.
That is a great point you bring up able how the administrative controls set the precedent for how the other forms of control are going to be implemented. A firewall is no good if it hasn’t the administrative policy in place to determine which websites are malicious. The same goes for physical controls, if there is not a policy in place to determine who has access to what areas, doors, and security are useless. I think all three controls need to work together to check and balance each other, the best admin policies are useless without a proper antivirus and building security.
The three types of risk mitigating controls are physical, technical, and administrative. Physical controls are controls that restrict physical access: including mantraps, cameras, and guards,.Technical controls are controls that protect software, applications, and networks through the use of antivirus software, firewalls, intrusion detection and prevention systems, and other controls that are non-physical. Administrative controls are policies and governance controls that are implemented to reduce problems by individuals. These include user trainings, acceptable use policies, password policies, segregation of duties, and other restrictions enforced by an administration.
The most important risk mitigation controls would be administrative controls. Administrative controls are enforced by a company and require administrative approval to be enforced. Regardless of how proficient the technical and physical controls are, they need to be supported by the administration and there are some essential controls that fall outside of physical and technical that need to be accounted for. Acceptable use policies and other policies cover how employees need to manage themselves as well as provide assurance for the company if an individual fails to abide by the policies. Also, technical and physical controls do not cover individual employee behavior through their daily work. As such, having strong administrative controls is the most important risk mitigating control.
I do agree with you that administrative controls are important; however, I do believe that all 3 types of controls are important to have full coverage. You mentioned that technical and physical controls do not cover individual behavior, but I do think there are technical and physical controls do cover individual behavior. For example, a technical control could be monitoring scheduled automated jobs and if a job fails, an individual would be involved in the daily process. Same with physical controls, individual behavior is involved on a daily basis (i.e. physically locking a laptop with a cable lock to secure it).
Several people said that they thought administrative controls are most important. I have to disagree. Administrative controls may be the most difficult to manage and the ones that directly impact the user the most, but no control or type of control orks in isolation, ti must be part of a bigger, overlapping scheme of controls in all three domains to reinforce each other and ultimately be successful.
The three types of mitigating risk control are technical, physical and administrative. The way our economy is pushed through is by providing technical leadership for the nation’s measurement and standard infrastructure. I know it helps us grow and measure how we are doing and how we would like to be in the future but it is based on information and how it is used. I think the most important is administrative controls because as a society we need to set up the rules and guidelines of how we want to use these risk controls. I also do think that based on other situations we could be dependent on others as well. By setting up a “how to use” we can better control and problem solve the issues that would come in the future. I also do feel that to make this work effectively we also need to change and update them from time to time.
Hello Parmita,
I think that is a great point about administrative controls being a powerful tool in creating guides and rules on how to avoid risking your personal data. If more people had a small background in online and general risk avoidance there would be fewer data leaks and breaches.
The three types of risk mitigation controls are physical, administrative, and technical control. Physical controls have to do with the permissions set in the physical space, be it an office, hospital, or data center. This type of risk mitigation is seen in cameras, locks, and security, all of which manage who has access to physical locations and physical components of the system (servers, routers, computers, etc.). Technical mitigation controls help mitigate risk on the system itself like firewalls and anti-malware software. Lastly, administrative controls mitigate risk by putting policies and standards into place for users to adhere to.
The most important risk mitigation controls are the technical controls this is because of their scalability and reliability. A firewall for example can offer around-the-clock protection from all threats when configured properly. Anti-malware software can be effectively run across every computer within a corporation regardless of size. Both physical and administrative risk mitigation controls have more human-reliant elements which consequentially leaves them more vulnerable to attack and limits their scalability. For example, an employee can be socially engineered to grant access to an attacker into a system and inadequate administrative policies can leave loopholes ready for exploitation.
Risk mitigation controls are strategies implemented to ensure business continuity and recovery in a disaster. Mitigation of risk is made up of several types. They include Risk Acceptance, Risk Avoidance, and Risk Limitation. The three play a role in cautioning a business against risks, and they can all be used. Simultaneous acceptance is not the best way to deal with troubles because it does not solve a problem when it occurs. The essential risk mitigation control is risk avoidance.
Risk Avoidance is the most important of these controls. It allows for the implementation of actions that caution the business against risk (Borky & Bradley, 2018). The measures implemented are mainly used to reduce risk exposure.
The three types of risk mitigating controls are: Physical Controls, Technical Controls, and Administrative Controls. All these controls are very important but for me i would say administrative control should be prioritized. It establishes work practices that reduce the duration, frequency, or intensity of exposure to hazards.
The 3 types of risk mitigating controls are physical, administrative, and technical controls. The most important mitigating control out of the three is technical controls. The reason why the technical control is the most important type of risk mitigating control is because it encompasses wherever the data is located. For example, technical controls over cloud data are more important due to it’s not tangible and a physical control would not protect cloud data.
Hi Jill,
I do agree that technical controls are important, especially with your example of cloud data. However, I feel that administrative controls are also important when considering access to cloud data. Having proper technical controls is important to safeguard the data itself; however, having proper administrative controls safeguards individuals within the company from improperly accessing data or misusing the data stored.
Hello Jill,
You raised a good point by indicating that technical controls are the most important mitigating control. However, I honestly believe all these controls tend to work pretty good together because having good administrative controls will help better to utilize and use proper tools to implement those technical controls.
There are three types of risk. Physical risk, technical risk, and administrative risk. These risks can typically be mitigated by types of controls i.e., detection and deterrence. For example, physical, deterrent-based mitigation controls can be a security guard or a fence. Whereas a camera or motion-activated spotlight would be detection-based mitigation control. Technical can also be viewed as detection and deterrent. Detection would be intrusion detection systems and honeypots. Whereas configuring workstations to require passwords for logins would be a deterrent. Lastly, there’s administrative which encompasses policies and procedures as well as security education, training, and awareness (SETA). I personally believe all of these mitigation controls piggyback off one another. If you have too much of one and less of another, you create vulnerabilities.
If I had to pick a specific control, it would be administrative controls. The reason I think administrative controls are most important is due to the polices an organization can set to guide their user population on rights and wrongs as well as dos and don’ts. Policies and procedures tell people exactly what is and isn’t appropriate. A good majority of attacks are conducted against people. People are looked at as inherently less secure than a company’s physical or technical infrastructure. If more attacks are targeted at people, it is important that administrative controls are clearly outlined. The reading states “Entering and accessing information systems to any degree within any organization must be controlled. What’s more, it is necessary to understand what is allowed and what’s not; if those parameters are clearly defined, the battle is half won.” It’s equally important to educate those users once policies have been read, understood, and signed. The reading states “Computer users in every organization, school, or agency are a critical aspect to the defense and protection of sensitive data and secure operations. Users can quickly become the Achilles heel of any security organization because there is no predicting how they will behave given a certain set of circumstances.” If your audience is both informed of dos and don’ts from a policy standpoint. As well as how to protect both themselves and the business from threats the company can then lean less heavily on physical and technical controls to mitigate risk.
Hey Nicholas,
I agree with your choice of administrative controls. Your examples from the text regarding the control of information flow anywhere in the organization highlight the importance of administrative controls. I also agree with your statement that anyone in an organization can result in an incident and as such user training and making sure that all employees understand company policies is essential.
I have to disagree with your choice of the administrative control as the most important. I don’t think your reasoning is wrong, per se, just i don;t think you can really say one type of control is more important than the others, They have to work together. Only by having all three types of controls overlapping, can you be truly secure.
Hey Dave,
I 100% agree that you need a healthy balance of all 3 controls in order to be effective. As I stated in my post “I personally believe all of these mitigation controls piggyback off one another. If you have too much of one and less of another, you create vulnerabilities.” I only chose one specifically and stated my case as to why due to the way the question was formatted.
The three types of risk mitigating controls are: Physical Controls, Technical Controls, and Administrative Controls. Physical Controls includes security guards, identification cards, alarm systems, etc. Technical Controls include Access Control Lists (ACLs), Intrusion Detection System (IDS), encryption and many others. Administrative Controls includes user training, policies and procedures, and security awareness training.
I honestly believe that Administrative Controls is the most critical mitigating factor for several reasons. An organization may have good technical controls in place, but it does not serve a good purpose if it’s not configured properly. So, administrative controls serve a major purpose by providing policies and procedures that must be followed when implementing these technical controls. It also provides user and security awareness training to ensure that every employee, whether you are in the IT department or not, has the knowledge to detect or identify a potential threat. At the end of the day, you want to make sure that the business side aligns with the technical side while done right.
The three primary types of risk mitigation are physical, technical, and administrative. Physical, Physical controls either address a risk or control in the physical realm, that is things you can touch. Examples include locks, guards, and cameras. Technical controls address software and computer systems. These are probably the ones people think of most often: firewalls, anti-malware, OS configuration, and IDS systems. Administrative controls are more about behavior. They include things like policies, security training, and the overall culture and posture of a company or system.
I wouldn’t say that any one is clearly the most important overall. Each type of control is situational and addresses one part of the whole. Without all three types of controls, you cannot have full security coverage. Take the data on a server: physical controls will ensure no one can steal the hard drive, technical controls will ensure that only authorized individuals can access the data, and administrative controls will ensure that the data is not accidentally leaked.
Hey David,
I agree with your opinion that all controls are important. Regardless of how well thought-out an administrative policy is, it needs to be supported by strong technical and physical controls to facilitate proper usage of company systems. In contrast, only strong technical controls can be exploited by weak physical controls or by any employee not understanding how to secure data in movement or standing. And again with physical controls, if a system is easily hackable or is not supported by proper company policies than it doesn’t matter how strong the physical controls are.
Hi Dave,
I agree with you that one control isn’t clearly more important than the others in that in depends on the situation. I didnt think of it from that point of view but is a great point of view. I also agree that you need all three types of controls to have full coverage.
Like so many things in security, you can’t just pick a single control, implement it, and call your work done. It requires overlapping and reinforcing controls to build a solid defense in depth strategy. The metaphor of the castle with multiple layers of walls, locking doors, roaming guards, and a moat is a good metaphor because it really shows the way that overlapping protection are stronger than they would be in isolation.
Hi Dave,
I agree with your assessment. Your metaphor describes perfectly the “defense in depth” concept. In order to adequately safeguard the confidentiality, integrity and availability of data and information assets, all of these countermeasures must be in place. This includes the physical access and security controls, network security controls, administrative controls/policies and procedures, logical access controls, etc. Another similar concept is part of a strong enterprise risk management function such as the three lines of defense model which includes the business function as the first line of the defense in an organization as they are responsible for their business process and risk mitigation, the compliance or quality assurance function which serves as the second line of defense and the internal audit function which serves as the third and last line of defense in an organization.
Risk mitigating controls fall into three main categories: physical, technical, and administrative. Physical controls consist of physical access controls such as locked doors and man traps, motion detectors, and environmental controls such as heating and cooling systems. Physical controls protect the physical equipment. Technical controls protect the software, applications, networks, and operating systems. Examples of technical controls include antivirus software, multifactor authentication including passwords and biometric data and intrusion detection systems. Lastly, administrative controls are the governing controls and set the policies and “tone at the top”. Examples of administrative controls include acceptable use policies, password requirements, role based access and implementing segregation of duties.
All of these controls are critical to ensuring the security of the systems and thereby protecting the confidentiality, integrity and availability of the data. If I had to pick one category, I would select the administrative control functions as they set the expectation and the requirements for which the other controls are based. For example you can implement physical controls such as locked doors and card reader access, but if there is not a policy explaining the roles and responsibilities of the humans, these controls could be bypassed such as the case of piggybacking or just allowing someone access without checking their id if a door is under card reader access, or not safeguarding your pin number if that is another physical access control. If a technical control includes the use of antivirus software, but there is no patching policy to outline the requirements for implementing patches including frequency, timeliness and consideration of severity level of the vulnerability, the anti virus software could be rendered ineffective or not as effective as it could be. In short, the administrative policies set the tone for the organization by the leadership and serve to strengthen the overall control environment by enhancing the existing physical and technical controls.
Hello Christa,
That is a great point you bring up able how the administrative controls set the precedent for how the other forms of control are going to be implemented. A firewall is no good if it hasn’t the administrative policy in place to determine which websites are malicious. The same goes for physical controls, if there is not a policy in place to determine who has access to what areas, doors, and security are useless. I think all three controls need to work together to check and balance each other, the best admin policies are useless without a proper antivirus and building security.
The three types of risk mitigating controls are physical, technical, and administrative. Physical controls are controls that restrict physical access: including mantraps, cameras, and guards,.Technical controls are controls that protect software, applications, and networks through the use of antivirus software, firewalls, intrusion detection and prevention systems, and other controls that are non-physical. Administrative controls are policies and governance controls that are implemented to reduce problems by individuals. These include user trainings, acceptable use policies, password policies, segregation of duties, and other restrictions enforced by an administration.
The most important risk mitigation controls would be administrative controls. Administrative controls are enforced by a company and require administrative approval to be enforced. Regardless of how proficient the technical and physical controls are, they need to be supported by the administration and there are some essential controls that fall outside of physical and technical that need to be accounted for. Acceptable use policies and other policies cover how employees need to manage themselves as well as provide assurance for the company if an individual fails to abide by the policies. Also, technical and physical controls do not cover individual employee behavior through their daily work. As such, having strong administrative controls is the most important risk mitigating control.
Hi Kenneth,
I do agree with you that administrative controls are important; however, I do believe that all 3 types of controls are important to have full coverage. You mentioned that technical and physical controls do not cover individual behavior, but I do think there are technical and physical controls do cover individual behavior. For example, a technical control could be monitoring scheduled automated jobs and if a job fails, an individual would be involved in the daily process. Same with physical controls, individual behavior is involved on a daily basis (i.e. physically locking a laptop with a cable lock to secure it).
Several people said that they thought administrative controls are most important. I have to disagree. Administrative controls may be the most difficult to manage and the ones that directly impact the user the most, but no control or type of control orks in isolation, ti must be part of a bigger, overlapping scheme of controls in all three domains to reinforce each other and ultimately be successful.
The three types of mitigating risk control are technical, physical and administrative. The way our economy is pushed through is by providing technical leadership for the nation’s measurement and standard infrastructure. I know it helps us grow and measure how we are doing and how we would like to be in the future but it is based on information and how it is used. I think the most important is administrative controls because as a society we need to set up the rules and guidelines of how we want to use these risk controls. I also do think that based on other situations we could be dependent on others as well. By setting up a “how to use” we can better control and problem solve the issues that would come in the future. I also do feel that to make this work effectively we also need to change and update them from time to time.
Hello Parmita,
I think that is a great point about administrative controls being a powerful tool in creating guides and rules on how to avoid risking your personal data. If more people had a small background in online and general risk avoidance there would be fewer data leaks and breaches.
The three types of risk mitigation controls are physical, administrative, and technical control. Physical controls have to do with the permissions set in the physical space, be it an office, hospital, or data center. This type of risk mitigation is seen in cameras, locks, and security, all of which manage who has access to physical locations and physical components of the system (servers, routers, computers, etc.). Technical mitigation controls help mitigate risk on the system itself like firewalls and anti-malware software. Lastly, administrative controls mitigate risk by putting policies and standards into place for users to adhere to.
The most important risk mitigation controls are the technical controls this is because of their scalability and reliability. A firewall for example can offer around-the-clock protection from all threats when configured properly. Anti-malware software can be effectively run across every computer within a corporation regardless of size. Both physical and administrative risk mitigation controls have more human-reliant elements which consequentially leaves them more vulnerable to attack and limits their scalability. For example, an employee can be socially engineered to grant access to an attacker into a system and inadequate administrative policies can leave loopholes ready for exploitation.
Risk mitigation controls are strategies implemented to ensure business continuity and recovery in a disaster. Mitigation of risk is made up of several types. They include Risk Acceptance, Risk Avoidance, and Risk Limitation. The three play a role in cautioning a business against risks, and they can all be used. Simultaneous acceptance is not the best way to deal with troubles because it does not solve a problem when it occurs. The essential risk mitigation control is risk avoidance.
Risk Avoidance is the most important of these controls. It allows for the implementation of actions that caution the business against risk (Borky & Bradley, 2018). The measures implemented are mainly used to reduce risk exposure.
Hi Samuel, i agree with you risk mitigation controls are strategies used to ensure business continuity and recovery in disaster.
The three types of risk mitigating controls are: Physical Controls, Technical Controls, and Administrative Controls. All these controls are very important but for me i would say administrative control should be prioritized. It establishes work practices that reduce the duration, frequency, or intensity of exposure to hazards.