Three Types of risk mitigating controls are physical (example: canine patrols & grounds lighting), technical (example: antivirus software & intrusion detection software) and administrative controls (example: corporate code of conduct & internal audit). Administrative controls are foundational as they provide the structure, alignment, and oversight necessary to ensure the effectiveness of physical and technical measures.
I agree with your point that the administrative controls are the most foundational because they influence the effectiveness of the other 2 types of controls. Physical and technical controls work as they’ve been programmed or built but the way in which they are managed (by humans) varies across business units and organizations. Setting the general attitude towards information security requires administrative controls that have attained input from all levels of leadership to make information security a business process rather than an IT problem.
Very strong case that you make here, I like the fact that you highlight that physical and technical controls are ultimately managed by humans. While I do believe that physical and technical controls are important, I agree with you that humans play the most critical role in ensuring security effectiveness.
Andrea, the three types of mitigating controls that I used for my answer where similar to yours and I think we share the same approach to risk mitigating as we both believe administrative controls is the most important. Administrative controls oversea and create the physical / technical controls that are used to ensure risk mitigation and therefore are the foundation of keeping information and data safe. However aside from this, why else do you feel administrative controls are so important? Personally, I find that administrative control is essential because any mistake they make when creating physical and technical controls affects the entire safety and vulnerability of information and data.
The more I learn from the courses I am currently taking, the better I understand each of these three mitigating controls’ significance. I agree with your assessment of administrative control’s impact on the other two controls mitigating effectiveness as well. Coming from a professional background that places my experience more in line with the trenches related to this control, I understand entirely its fundamental importance as well as its ability to steer mechanisms that change an institution’s structure, alignment, and culture. Great post.
The three types of risk mitigating controls are Preventive controls: it involves proactive measures to make sure an incident does not occur, it could be access control, authorization controls separation of duties, the essence is to prevent incident from occurring. Second is Detective controls: used to find issues after they have occurred, it could be log monitoring, quality assurance, review of transaction. The third control is Corrective controls: used to fix existing errors eg employee security awareness training. In my opinion preventive control is the most important because it is aimed at stopping risk from occurring.
I agree that preventive controls are the most important because they proactively block threats before they can cause damage, minimizing the likelihood of security incidents. Additionally, preventive controls create a strong foundation for an organization’s overall security strategy.
Hey Aisha & Nelson!
I agree that preventative control is important, but I am torn between preventative and recovery/corrective controls. Prevention is key to build a solid foundation and mitigate risk. However, risk is inevitable. No matter what there will always be some sort of breach or security vulnerability. Nelson, you mentioned employee security awareness training as corrective action. I agree, but corrective action needs to be more than phishing training (as an example since that is all that is offered at my job). For that reason, I think recovery is most important. The ability to recover and correct actions from security vulnerabilities in a timely and effective fashion will be crucial for the success of a firm.
Three type of risk management controls are:
Preventative (AV, Firewall, password management ect.)
Tracking (Alert Triggering, logging, threat hunting)
Recovery (Backup solutions, redundant systems)
The most important to me is recovery. The reason why recovery is the most important risk mitigation to me is because breaches, data loss, and loss of service in one form or another is going to be inevitable. While these events should be mitigated as much as possible, the ability to recover from them is paramount.
Good Point Ben, breaches is inevitable, risk is bound to exist in every enterprise, assessment, and constant mitigation is the only way reduce risk and avoid impacts, building a fault tolerant systems and recovery is highly important.
While I agree that recovery is an important risk mitigation strategy, I believe that preventive measures are more important because they focus on stopping threats before they occur. By proactively blocking potential risks, preventive measures help avoid the damage, costs, and disruptions associated with security incidents.
You’re right that Recovery is crucial since incidents like breaches or data loss happens despite our best efforts. The ability to quickly restore systems and data is essential for minimizing damage. However, strong Preventative controls, like firewalls and password management, are also vital because they reduce the chances of these incidents happening in the first place. While Recovery is important, a balanced approach that includes Preventative, Tracking, and Recovery controls is key to effective risk management.
Technical: Firewalls used to block unauthorized access to the network, antivirus software that detects and removes malicious software, and encryptions to protect data are examples of technical controls.
Administrative: Security policies such as guidelines, and access control, proper training for employees, and incident response plans are examples of administrative controls.
Corrective Controls (Recovery): Includes incident response plans, patch management, and backup plans and procedures.
Overall, each control is just as important and creates a balanced approach to mitigating risk. However, if one control where to be labeled as the most important, I would say that it would be administrative. Administration is in charge of implementing technical controls as well as recovery controls. If the administration fails to utilize their technical and recovery controls than there will be an increase in risk and if an attack happens, they will not be prepared.
I agree that administrative controls are vital. However, I would like to present a different perspective. Although administrative controls play a role in ensuring the successful execution of both technical and corrective strategies, some may argue that technical controls could be seen as more vital since they are designed to prevent incidents from happening in the first place. If technical controls were fully optimized and effectively implemented, do you think administrative controls will still hold the same level of importance, or could their role diminish in criticality?
This is a great point, I ended up stealing your question and asking Brittany the same thing. Although we both agree that administrative controls are essential as the make up the foundation for technical, physical, correctional controls, etc… it is worth noting that if technical controls were fully optimized, then the administrative control would essentially be diminished. In that same light, the administrative control would be responsible for overseeing the actions of the technical controls, and ultimately would be the reason an optimized and fully effective plan was created. Overall, the question is a real possibility and could be debated as to why administrative controls may not be as important as we might think.
I like your perspective. It presents a great alternative, but I respectfully disagree with the likelihood of the administrative roles losing their importance. This conclusion stems from the technical control policies deriving themselves from the executive level of management, which sets all controls that are implemented.
On the other hand, since the semester began, I’ve learned that there are occasions when technical controls hold the same level of control. Information technology companies, such as Microsoft and Apple, are that exceptions, as their business model relies heavily on them.
The 3 types of risk mitigating controls are physical, technical, and administrative. Physical controls involve measures to protect physical assets. This includes fences, motion detectors, locked doors, and security guards. These are the first line of defense, preventing unauthorized access.
Technical controls are technology safeguards, like firewalls, antivirus software, intrusion detection systems, biometrics, card activated locks, and single sign-on. These secure the digital world, not the physical equipment or location.
Administrative controls are policies, procedures, and guidelines. These include segregation of duties, corporate code of conduct, and internal audit. In my opinion, this is the most important control type. Maybe that is my professional internal auditor mindset showing but these controls set the tone at the top. Administrative controls guide behavior and establish accountability. You need the governance first to then guide the technical and physical controls.
I had similar thoughts on risk mitigation to yours, however instead of physical controls I stated that recovery, or correctional controls are necessary. Physical controls are just as important, however, and create a balance between technical and administrative controls. Furthermore, I agree that administrative controls are the most important, as they hold people accountable, and also set the foundation for mitigating risk. James brought a great point in response to my question, and mentioned that if technical controls were implemented and successful, then what would the role of administration be? And how necessary would and administrative control be?
I would agree that administrative controls are important. If a rule of law is not set and clearly communicated at a business/institution then you can quickly fall into situations where people are actively adding risk to an environment without realizing it.
The only caveat that I would add to the importance around administration is that there needs to be ways to enforce the policy. The greatest security risk in an organization is the humans at the computers and I don’t see that changing.
I completely agree with your post. Policies, procedures, and guidelines should govern all aspects of the mitigating controls that are put in place. As you mentioned, these controls originate from top-level management and are then implemented throughout the company by way of mechanisms directed by administrative controls, and overseen by departmental management for technical and physical controls. Great post!
Three types of risk-mitigating controls are physical, technical, and administrative. While I don’t believe one takes precedence over the others, if I had to choose one, I would highlight administrative as the most important. Without the business policies and guidelines set in place by an organization, security is bound to fail as we previously learned that humans are the primary vector for loss. I would like to highlight that all controls should be utilized holistically, and optimized according to each individual organization’s need.
Thank you for your thoughtful response. While I agree on the importance of a holistic approach to the risk-mitigating controls, I believe technical controls might be just as critical, especially in automated environments where human interaction is minimal. This raises an interesting point. Could relying too much on administrative controls create security gaps in highly technical settings? Your post was both insightful and well-expressed.
The three types of risk-mitigating controls are physical, technical, and administrative. Physical controls manage physical access to data, such as securing servers in a locked room. Technical controls protect non-physical data through methods like authentication and secure passwords. Administrative controls involve policies and procedures, such as codes of conduct, segregation of duties, and change management. Of the three, administrative controls are the most important because they provide the governance framework that guides both physical and technical controls. Since human error or misconduct is a leading cause of security breaches, strong administrative controls are crucial for preventing and mitigating risks.
The three types of risk-mitigating controls are attack resiliency, incident readiness, and security maturity. Attack resiliency is protection against internal and external attacks, and it relates to the confidentiality and availability of core assets. They help to protect core business assets by implementing strong technical controls and adhering to best practices. Incident readiness are detection mechanisms for breach identification, and it can affect availability and integrity. It can help in the early detection of security breaches or incidents. Security maturity consists of awareness, incident response, and strong policies. It affects the confidentiality and integrity assets as it is protecting the data and integrity of the business.
Building a security program with a comprehensive and risk-based strategy is key to being effective. Because of this, I think it is the most important. having a system that includes understanding how vital it is to keep business units secure in all areas of an organization. Security is not a technical issue but a business issue, especially with how information security is continuing to be more important to organizations. Having a solid and effective security program with a risk-based and business-aligned strategy, in my opinion, is better than incident readiness which is implemented after a breach. Security maturity has a more proactive and comprehensive approach than attack resiliency. This helps prevent attacks before they happen, rather than simply just reacting to them. Also, focusing only on resilience might impact the opportunities to strengthen its defenses and prevent attacks from occurring.
I fully agree with the emphasis on developing a risk-based security strategy that aligns with business goals. However, I’d like to introduce an additional perspective. While advancing security maturity is undoubtedly proactive and essential, I believe that prioritizing attack resiliency could be equally, if not more, critical. Resiliency ensures that an organization not only withstands but also swiftly recovers from internal and external threats. This capability is crucial for maintaining operational continuity and reducing potential disruptions. If a company focuses too heavily on achieving security maturity without ensuring strong resiliency measures, it may inadvertently expose itself to unexpected vulnerabilities.
The 3 types of controls or safeguards used to mitigate risk in Information systems are Physical, Technical, and Administrative. The 3 types of controls aim to approach security risks from different perspectives:
Physical: These safeguard the physical access to information systems; they may be used to protect buildings, rooms, or spaces that contain information systems. They may include the use of security guards, badge scanners, biometrics, or bollards. They aim to both deter threat actions and provide additional layers of security for sensitive/proprietary information.
Technical: This type of safeguard approaches risk mitigation with software over an enterprise network; they are used to protect devices against the loss of Confidentiality, Integrity, and Availability. This type of control employs Multi-Factor Authentication (MFA), Firewalls, Intrusion Detection Systems (IDS), and Antivirus to help prevent, detect, and correct security risks to Information systems.
Administrative: policies, rules, or guidelines set forth by an organization to include Information Security as a business process. This type of risk-mitigating control dictates the manner in which information and information assets are to be managed. This can include policies on whom can access classified data, how information systems can be used, and what type of data can be shared; often referred to as an Acceptable Use Policy (AUP).
The administrative type of control is objectively the most important type of risk-mitigating control. Administrative controls dictate how information systems and the information they hold are managed and interacted with. The largest risk to an organization’s IT Assets is the humans who interact with them in order to function on a daily basis, specifically their negligence or lack of adequate training. This type of control mitigates the risk of human negligence by dictating how systems are being used and often sets boundaries on who has access to certain systems and the level/frequency of training colleagues receive. They often influence the use of technical and physical controls to prevent loss of Confidentiality, Integrity, and Availability of Information Assets.
I agree with the comment because administrative controls are crucial for defining how information systems are used and managed, setting guidelines that address human factors such as negligence and inadequate training. These controls not only establish policies and procedures but also influence the implementation of physical and technical safeguards to protect the confidentiality, integrity, and availability of information assets.
The three categories of risk mitigating controls are physical, technical, and administrative controls. Out of these three types of controls, technical controls stand out as the crucial one since they directly safeguard the confidentiality, integrity, and availability of sensitive data stored by organizations. These technical safeguards encompass a range of measures like firewalls to block access encryption to secure data during transmission or storage and intrusion detection systems to monitor and prevent any potential breaches, in a world where digital threats are ever evolving.
I enjoyed your response as it posed a new point of view. I agree that technical controls do the heavy lifting when directly dealing with a threat, however, I disagree that technical is the most important control. While it is crucial for an organization to leverage technical safeguards to ensure data security, these safeguards are only as efficient as the humans that utilize them. Tasks such as encrypting files, practicing secure data transmission and/or storage are actions humans need to take for these measures to be effective in securing sensitive information. Administrative controls set the framework so the people doing the work understand the importance of security and take these appropriate actions.
The three types of risk mitigation controls are administrative, physical, and technical. Administrative control refers to information security protection policies, procedures, and guidelines established by organizational leadership that define personnel and business roles and responsibilities. Physical control refers to the material security defense an organization can install, hire, or put in place to protect its critical (as well as non-critical) infrastructure from threats. Technical control refers to hardware devices or software used to protect critical infrastructure, networks, and data. The most important aspect of risk mitigation is administrative controls.
Properly implemented administrative controls can scope and raise risky behavior awareness; they can implement risk management training and direct mid and high-level management to implement training assessments to ensure training compliance. All of this can change an organization’s professional culture to one that is better educated, trained, and aware of the importance of individual and organizational information security.
Three types of risk mitigating controls are detect, protect and react.
The role of detection controls is designed to monitor network activities and identify potential security threats, while protection controls aim to prevent unauthorized access to the network resources. Response controls focus on taking corrective actions to resolve the issue that caused the breach, restore normal business operations, and prevent future intrusions.
The most important risk mitigating control is protection control because it focuses on preventing incidents from occurring. Tools such as firewalls, anti-virus protection, multi factor authentication, employee training and awareness programs and security policies are examples of protection controls.
Great response! To build off your explanation of how important protection is, I believe organizations need to continuously improve their systems to protect their data. Threats are inevitable, especially in this era where almost all information and data is digitalized. Using proper protection measures is essential for an organization. They have to account for how they are susceptible to risk and utilize tools and their teams to develop innovative ways of protection.
It’s interesting that you group employee awareness and security policies into risk mitigating controls when the majority of the class seems to have classified them under administrative.
I think it’s just an illustration of how closely intertwined anything we do in risk management space is that multiple things can be classified different ways depending on the individual. It just goes to show how important communication can be in keeping a company safe and aligned.
Andrea Baum says
Three Types of risk mitigating controls are physical (example: canine patrols & grounds lighting), technical (example: antivirus software & intrusion detection software) and administrative controls (example: corporate code of conduct & internal audit). Administrative controls are foundational as they provide the structure, alignment, and oversight necessary to ensure the effectiveness of physical and technical measures.
Gbolahan Afolabi says
Hello Andrea,
I agree with your point that the administrative controls are the most foundational because they influence the effectiveness of the other 2 types of controls. Physical and technical controls work as they’ve been programmed or built but the way in which they are managed (by humans) varies across business units and organizations. Setting the general attitude towards information security requires administrative controls that have attained input from all levels of leadership to make information security a business process rather than an IT problem.
Ericberto Mariscal says
Hello Gbolahan,
Very strong case that you make here, I like the fact that you highlight that physical and technical controls are ultimately managed by humans. While I do believe that physical and technical controls are important, I agree with you that humans play the most critical role in ensuring security effectiveness.
Vincenzo Macolino says
Andrea, the three types of mitigating controls that I used for my answer where similar to yours and I think we share the same approach to risk mitigating as we both believe administrative controls is the most important. Administrative controls oversea and create the physical / technical controls that are used to ensure risk mitigation and therefore are the foundation of keeping information and data safe. However aside from this, why else do you feel administrative controls are so important? Personally, I find that administrative control is essential because any mistake they make when creating physical and technical controls affects the entire safety and vulnerability of information and data.
Jocque Sims says
Good evening Andrea,
The more I learn from the courses I am currently taking, the better I understand each of these three mitigating controls’ significance. I agree with your assessment of administrative control’s impact on the other two controls mitigating effectiveness as well. Coming from a professional background that places my experience more in line with the trenches related to this control, I understand entirely its fundamental importance as well as its ability to steer mechanisms that change an institution’s structure, alignment, and culture. Great post.
Nelson Ezeatuegwu says
The three types of risk mitigating controls are Preventive controls: it involves proactive measures to make sure an incident does not occur, it could be access control, authorization controls separation of duties, the essence is to prevent incident from occurring. Second is Detective controls: used to find issues after they have occurred, it could be log monitoring, quality assurance, review of transaction. The third control is Corrective controls: used to fix existing errors eg employee security awareness training. In my opinion preventive control is the most important because it is aimed at stopping risk from occurring.
Aisha Ings says
Hi Nelson,
I agree that preventive controls are the most important because they proactively block threats before they can cause damage, minimizing the likelihood of security incidents. Additionally, preventive controls create a strong foundation for an organization’s overall security strategy.
Dawn Foreman says
Hey Aisha & Nelson!
I agree that preventative control is important, but I am torn between preventative and recovery/corrective controls. Prevention is key to build a solid foundation and mitigate risk. However, risk is inevitable. No matter what there will always be some sort of breach or security vulnerability. Nelson, you mentioned employee security awareness training as corrective action. I agree, but corrective action needs to be more than phishing training (as an example since that is all that is offered at my job). For that reason, I think recovery is most important. The ability to recover and correct actions from security vulnerabilities in a timely and effective fashion will be crucial for the success of a firm.
Benjamin Rooks says
Three type of risk management controls are:
Preventative (AV, Firewall, password management ect.)
Tracking (Alert Triggering, logging, threat hunting)
Recovery (Backup solutions, redundant systems)
The most important to me is recovery. The reason why recovery is the most important risk mitigation to me is because breaches, data loss, and loss of service in one form or another is going to be inevitable. While these events should be mitigated as much as possible, the ability to recover from them is paramount.
Nelson Ezeatuegwu says
Good Point Ben, breaches is inevitable, risk is bound to exist in every enterprise, assessment, and constant mitigation is the only way reduce risk and avoid impacts, building a fault tolerant systems and recovery is highly important.
Aisha Ings says
Hi Ben,
While I agree that recovery is an important risk mitigation strategy, I believe that preventive measures are more important because they focus on stopping threats before they occur. By proactively blocking potential risks, preventive measures help avoid the damage, costs, and disruptions associated with security incidents.
Christopher Williams says
You’re right that Recovery is crucial since incidents like breaches or data loss happens despite our best efforts. The ability to quickly restore systems and data is essential for minimizing damage. However, strong Preventative controls, like firewalls and password management, are also vital because they reduce the chances of these incidents happening in the first place. While Recovery is important, a balanced approach that includes Preventative, Tracking, and Recovery controls is key to effective risk management.
Vincenzo Macolino says
Three types of risk mitigating controls:
Technical: Firewalls used to block unauthorized access to the network, antivirus software that detects and removes malicious software, and encryptions to protect data are examples of technical controls.
Administrative: Security policies such as guidelines, and access control, proper training for employees, and incident response plans are examples of administrative controls.
Corrective Controls (Recovery): Includes incident response plans, patch management, and backup plans and procedures.
Overall, each control is just as important and creates a balanced approach to mitigating risk. However, if one control where to be labeled as the most important, I would say that it would be administrative. Administration is in charge of implementing technical controls as well as recovery controls. If the administration fails to utilize their technical and recovery controls than there will be an increase in risk and if an attack happens, they will not be prepared.
James Nyamokoh says
Hi Vincenzo,
I agree that administrative controls are vital. However, I would like to present a different perspective. Although administrative controls play a role in ensuring the successful execution of both technical and corrective strategies, some may argue that technical controls could be seen as more vital since they are designed to prevent incidents from happening in the first place. If technical controls were fully optimized and effectively implemented, do you think administrative controls will still hold the same level of importance, or could their role diminish in criticality?
Vincenzo Macolino says
This is a great point, I ended up stealing your question and asking Brittany the same thing. Although we both agree that administrative controls are essential as the make up the foundation for technical, physical, correctional controls, etc… it is worth noting that if technical controls were fully optimized, then the administrative control would essentially be diminished. In that same light, the administrative control would be responsible for overseeing the actions of the technical controls, and ultimately would be the reason an optimized and fully effective plan was created. Overall, the question is a real possibility and could be debated as to why administrative controls may not be as important as we might think.
Jocque Sims says
Good evening James,
I like your perspective. It presents a great alternative, but I respectfully disagree with the likelihood of the administrative roles losing their importance. This conclusion stems from the technical control policies deriving themselves from the executive level of management, which sets all controls that are implemented.
On the other hand, since the semester began, I’ve learned that there are occasions when technical controls hold the same level of control. Information technology companies, such as Microsoft and Apple, are that exceptions, as their business model relies heavily on them.
Great post.
Brittany Pomish says
The 3 types of risk mitigating controls are physical, technical, and administrative. Physical controls involve measures to protect physical assets. This includes fences, motion detectors, locked doors, and security guards. These are the first line of defense, preventing unauthorized access.
Technical controls are technology safeguards, like firewalls, antivirus software, intrusion detection systems, biometrics, card activated locks, and single sign-on. These secure the digital world, not the physical equipment or location.
Administrative controls are policies, procedures, and guidelines. These include segregation of duties, corporate code of conduct, and internal audit. In my opinion, this is the most important control type. Maybe that is my professional internal auditor mindset showing but these controls set the tone at the top. Administrative controls guide behavior and establish accountability. You need the governance first to then guide the technical and physical controls.
Vincenzo Macolino says
I had similar thoughts on risk mitigation to yours, however instead of physical controls I stated that recovery, or correctional controls are necessary. Physical controls are just as important, however, and create a balance between technical and administrative controls. Furthermore, I agree that administrative controls are the most important, as they hold people accountable, and also set the foundation for mitigating risk. James brought a great point in response to my question, and mentioned that if technical controls were implemented and successful, then what would the role of administration be? And how necessary would and administrative control be?
Benjamin Rooks says
I would agree that administrative controls are important. If a rule of law is not set and clearly communicated at a business/institution then you can quickly fall into situations where people are actively adding risk to an environment without realizing it.
The only caveat that I would add to the importance around administration is that there needs to be ways to enforce the policy. The greatest security risk in an organization is the humans at the computers and I don’t see that changing.
Jocque Sims says
Good evening Brittany,
I completely agree with your post. Policies, procedures, and guidelines should govern all aspects of the mitigating controls that are put in place. As you mentioned, these controls originate from top-level management and are then implemented throughout the company by way of mechanisms directed by administrative controls, and overseen by departmental management for technical and physical controls. Great post!
Ericberto Mariscal says
Three types of risk-mitigating controls are physical, technical, and administrative. While I don’t believe one takes precedence over the others, if I had to choose one, I would highlight administrative as the most important. Without the business policies and guidelines set in place by an organization, security is bound to fail as we previously learned that humans are the primary vector for loss. I would like to highlight that all controls should be utilized holistically, and optimized according to each individual organization’s need.
James Nyamokoh says
Hi Eric,
Thank you for your thoughtful response. While I agree on the importance of a holistic approach to the risk-mitigating controls, I believe technical controls might be just as critical, especially in automated environments where human interaction is minimal. This raises an interesting point. Could relying too much on administrative controls create security gaps in highly technical settings? Your post was both insightful and well-expressed.
Cyrena Haynes says
The three types of risk-mitigating controls are physical, technical, and administrative. Physical controls manage physical access to data, such as securing servers in a locked room. Technical controls protect non-physical data through methods like authentication and secure passwords. Administrative controls involve policies and procedures, such as codes of conduct, segregation of duties, and change management. Of the three, administrative controls are the most important because they provide the governance framework that guides both physical and technical controls. Since human error or misconduct is a leading cause of security breaches, strong administrative controls are crucial for preventing and mitigating risks.
Neel Patel says
The three types of risk-mitigating controls are attack resiliency, incident readiness, and security maturity. Attack resiliency is protection against internal and external attacks, and it relates to the confidentiality and availability of core assets. They help to protect core business assets by implementing strong technical controls and adhering to best practices. Incident readiness are detection mechanisms for breach identification, and it can affect availability and integrity. It can help in the early detection of security breaches or incidents. Security maturity consists of awareness, incident response, and strong policies. It affects the confidentiality and integrity assets as it is protecting the data and integrity of the business.
Building a security program with a comprehensive and risk-based strategy is key to being effective. Because of this, I think it is the most important. having a system that includes understanding how vital it is to keep business units secure in all areas of an organization. Security is not a technical issue but a business issue, especially with how information security is continuing to be more important to organizations. Having a solid and effective security program with a risk-based and business-aligned strategy, in my opinion, is better than incident readiness which is implemented after a breach. Security maturity has a more proactive and comprehensive approach than attack resiliency. This helps prevent attacks before they happen, rather than simply just reacting to them. Also, focusing only on resilience might impact the opportunities to strengthen its defenses and prevent attacks from occurring.
James Nyamokoh says
Hi Neel,
I fully agree with the emphasis on developing a risk-based security strategy that aligns with business goals. However, I’d like to introduce an additional perspective. While advancing security maturity is undoubtedly proactive and essential, I believe that prioritizing attack resiliency could be equally, if not more, critical. Resiliency ensures that an organization not only withstands but also swiftly recovers from internal and external threats. This capability is crucial for maintaining operational continuity and reducing potential disruptions. If a company focuses too heavily on achieving security maturity without ensuring strong resiliency measures, it may inadvertently expose itself to unexpected vulnerabilities.
Gbolahan Afolabi says
The 3 types of controls or safeguards used to mitigate risk in Information systems are Physical, Technical, and Administrative. The 3 types of controls aim to approach security risks from different perspectives:
Physical: These safeguard the physical access to information systems; they may be used to protect buildings, rooms, or spaces that contain information systems. They may include the use of security guards, badge scanners, biometrics, or bollards. They aim to both deter threat actions and provide additional layers of security for sensitive/proprietary information.
Technical: This type of safeguard approaches risk mitigation with software over an enterprise network; they are used to protect devices against the loss of Confidentiality, Integrity, and Availability. This type of control employs Multi-Factor Authentication (MFA), Firewalls, Intrusion Detection Systems (IDS), and Antivirus to help prevent, detect, and correct security risks to Information systems.
Administrative: policies, rules, or guidelines set forth by an organization to include Information Security as a business process. This type of risk-mitigating control dictates the manner in which information and information assets are to be managed. This can include policies on whom can access classified data, how information systems can be used, and what type of data can be shared; often referred to as an Acceptable Use Policy (AUP).
The administrative type of control is objectively the most important type of risk-mitigating control. Administrative controls dictate how information systems and the information they hold are managed and interacted with. The largest risk to an organization’s IT Assets is the humans who interact with them in order to function on a daily basis, specifically their negligence or lack of adequate training. This type of control mitigates the risk of human negligence by dictating how systems are being used and often sets boundaries on who has access to certain systems and the level/frequency of training colleagues receive. They often influence the use of technical and physical controls to prevent loss of Confidentiality, Integrity, and Availability of Information Assets.
Andrea Baum says
I agree with the comment because administrative controls are crucial for defining how information systems are used and managed, setting guidelines that address human factors such as negligence and inadequate training. These controls not only establish policies and procedures but also influence the implementation of physical and technical safeguards to protect the confidentiality, integrity, and availability of information assets.
James Nyamokoh says
The three categories of risk mitigating controls are physical, technical, and administrative controls. Out of these three types of controls, technical controls stand out as the crucial one since they directly safeguard the confidentiality, integrity, and availability of sensitive data stored by organizations. These technical safeguards encompass a range of measures like firewalls to block access encryption to secure data during transmission or storage and intrusion detection systems to monitor and prevent any potential breaches, in a world where digital threats are ever evolving.
Cyrena Haynes says
Hi James,
I enjoyed your response as it posed a new point of view. I agree that technical controls do the heavy lifting when directly dealing with a threat, however, I disagree that technical is the most important control. While it is crucial for an organization to leverage technical safeguards to ensure data security, these safeguards are only as efficient as the humans that utilize them. Tasks such as encrypting files, practicing secure data transmission and/or storage are actions humans need to take for these measures to be effective in securing sensitive information. Administrative controls set the framework so the people doing the work understand the importance of security and take these appropriate actions.
Jocque Sims says
The three types of risk mitigation controls are administrative, physical, and technical. Administrative control refers to information security protection policies, procedures, and guidelines established by organizational leadership that define personnel and business roles and responsibilities. Physical control refers to the material security defense an organization can install, hire, or put in place to protect its critical (as well as non-critical) infrastructure from threats. Technical control refers to hardware devices or software used to protect critical infrastructure, networks, and data. The most important aspect of risk mitigation is administrative controls.
Properly implemented administrative controls can scope and raise risky behavior awareness; they can implement risk management training and direct mid and high-level management to implement training assessments to ensure training compliance. All of this can change an organization’s professional culture to one that is better educated, trained, and aware of the importance of individual and organizational information security.
Aisha Ings says
Three types of risk mitigating controls are detect, protect and react.
The role of detection controls is designed to monitor network activities and identify potential security threats, while protection controls aim to prevent unauthorized access to the network resources. Response controls focus on taking corrective actions to resolve the issue that caused the breach, restore normal business operations, and prevent future intrusions.
The most important risk mitigating control is protection control because it focuses on preventing incidents from occurring. Tools such as firewalls, anti-virus protection, multi factor authentication, employee training and awareness programs and security policies are examples of protection controls.
Neel Patel says
Hi Aisha!
Great response! To build off your explanation of how important protection is, I believe organizations need to continuously improve their systems to protect their data. Threats are inevitable, especially in this era where almost all information and data is digitalized. Using proper protection measures is essential for an organization. They have to account for how they are susceptible to risk and utilize tools and their teams to develop innovative ways of protection.
Benjamin Rooks says
It’s interesting that you group employee awareness and security policies into risk mitigating controls when the majority of the class seems to have classified them under administrative.
I think it’s just an illustration of how closely intertwined anything we do in risk management space is that multiple things can be classified different ways depending on the individual. It just goes to show how important communication can be in keeping a company safe and aligned.