As an Information Security professional, how do administrative controls, such as policies, procedures, frameworks, help protect you from the technical threats of cybercrime?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Administrative controls form the basis by which technical and physical controls deride their subsequent implementation and enforcement – thus it is inherently necessary to ensure policies, procedures, frameworks are followed and strictly adhered to.
Failure to comply to administrative controls invariably affects logical and physical controls. Take for example security policies which fall within the scope of administrative control; policies help shape expected user behaviors within an organizational entity and can help combat cybercrime if users comply to the contents of security policies. A good example is the Security Awareness Training program which details the “do’s” and “don’ts” expected of users in the course of using an organization’s computing assets. If users do not pay attention to the contents and expectations of the security awareness training, it could lead to cybercrimes such as phishing and identity thefts thus exposing the organization to data leaks and losses. Adequate attention must be paid to administrative controls if a security professional is serious about combating the technical threats that emanate from cybercrimes or risk very grave consequences that follows therein.
Hi Oby –
I thought your response answered the discussion question with administrative controls shape the behavior of the employees which contribute to battling cybercrime. Human error is a main reason for successful cyber security attacks. It could be an employee falling for a phishing scam or inserting an unknown flash-drive into their laptop. If companies don’t implement controls (include policies) around employee behavior like security awareness programs then the human error is going to be much greater increasing the success of cybercrime.
Hi Oby, I like how you provided an example of the security awareness and training as an administrative control. I think most times we think of policies, procedures, guidelines, and standards as admin controls, but not security awareness and training. Security awareness and training is an extremely important preventive control that will mitigate common risks and threats. It’s an important control, not only due to its mitigating impact, but because its also not expensive to implement.
Hi Oby,
In order to have a full cycle of security, you need to have administrative controls that are working along the physical and technical controls supporting the operations of your organization. The example of security awareness programs are important as not all employees are familiar with the impact that security can have on the organization if not implemented correctly. Employees needs to be aware that they can threaten the organization if they for example open an emails from an anomalous user. As we have read in the chapters. humans are the weakest link therefore we need to do as much as we can to try to make individuals understand security perform due diligence when handling data.
Oby,
Really great examples you used to explain different security awareness. I really think education is important when it comes to security awareness. If you start tell employees from day one what they need to do and look at in order to properly forward off an attack then they will be able to make sure they do not fall victim
Administrative controls are extremely important for the successful implementation of a security program. For a security program to be effective, the tone starts at the top. Management must identify the need for the policies, procedures, baselines, and standards in order for the appropriate technical controls to be implemented within the organization.
Without administrative controls describing the who, why, and what, security professionals will be unable to effectively create the technical controls that will mitigate the relevant risks. Security policies will provide the “scope of security needed by the organization” and the assets that require the protection. This is the strategic piece of the security program. Procedures are much more tactical in nature, providing step-by-step guidance on how to implement technical controls. Without these documents, there will be no guidance on what to protect, and how to protect, leaving a gaping hole in an organization’s defense from technical threats.
Hi Ahmed,
I agree, with a top-down approach to organizational security. It is critical that top-level executive communicate the importance of security to their staff.
Ahmed,
You bring up interesting points in that administrative controls are the connector controls that connect the physical and technical controls together. If administrative controls are not in place, this puts the other controls at risk of not being implemented the proper way. Administrative controls introduce the roles and responsibilities that individuals have toward security and it is through these roles and responsibilities that the other controls are put into place and implemented.
Ahmed,
I agree that security controls are important a successful security program. Managers are where it all starts and end when it comes to security. They are responsible that everything gets done in a timely manner and that their subordinates are following their rules closely. With out administrative controls like you said it can turn to chaos. A manager will be unable to enforce their set policies if nothing is set into place.
In my opinion, administrative controls are slightly more important than technical controls. Administrative controls give the organization a framework or baseline for security, it provides an organization with a high-level focus of the organization posture for information security. Technical and physical controls are implemented and established based on the governance of administrative position. It also dictates who the responsible department/resources will be to conduct and implement these technical and physical controls.
Hi Duy:
I like your last point which states thus – administrative controls dictates who is responsible for the implementation of technical and physical controls. Indeed, you could not have captured it any better. The assignment of detailed responsibilities is always contained in a policies as well as the repercussions of failure to adhere to such policies or regulatory assignments and laws. This in turn aids the achievement of the administrative control goals and objectives.
Duy – I thought your response was concise and meaningful. I think you hit the nail on the head when stating “…administrative controls are more important than the technical controls.” The administrative controls is the foundation or one can say of paramount. Then the technical and physical controls build off of the foundation. Administrative controls creates the framework and creates policies in regards to the roles/resources. As Oby also agreed with, the administrative controls are going to state who is responsible for the physical and technical controls. You can’t have successful physical and technical controls with the base (administrative controls).
Without administrative controls, an organization wouldn’t know what technical controls to implement. Administrative controls help identify the technology, scope, and responsibilities on how to secure the organization. Dictating who the responsible department is extremely important. Every department should complete a RACI matrix in order to identify the responsibility, accountability, consulted, and informed stakeholders regarding implementing security controls.
Ahmed,
I agree. I think there are level to this. In order to have the correct technical controls in place you need to have the right administrative controls first. Then once you have good administrative controls you can build on top of. Without good administrative controls the security can fall apart.
Administrative controls are primarily procedures and policies that are implemented to define and guide employees when dealing with an organization’s sensitive information. It informs employees on how the business is to be run including the daily operations.
Also, administrative controls define the human factors of security. It will involve all levels of personnel within an organization and determines which users have access to what resources and information such as:
• Training and awareness
• Disaster preparedness and recovery
• Personnel recruitment and separation strategies
• Personnel registration and accounting
Administrative controls help protect one from the technical threats of cybercrime because it sets out the rules for how organizations expect their employees to behave. The controls enforce compliance; otherwise, they are useless. For example, if an organization creates a policy stating that business resources cannot be used for personal use then the organization needs to be able to enforce this. These controls help minimize the exposure of an organization. It provides a framework on how employees should behave at the workplace which helps decrease the chance of a successful attack. To me, the technical and physical controls are the manifestation of the administrative control put in place.
As an Information Security professional, how do administrative controls, such as policies, procedures, frameworks, help protect you from the technical threats of cybercrime?
Cybercrime can attack and organization in many ways. Unfortunately there is no complete technical solution that will protect you from every attack, and a multilayered defensive approach must be taken. Administrative controls are just one more layer in a defense plan to thwart cyber crimes from affecting your organization. Administrative controls, such as policies or procedures are put in place to help prevent crime where technical solutions can’t. For instance, let’s say the company policy is that no USB drives are to be used in company workstations. Technical measures can be put into place to stop operating systems from accessing USB drives, but technology can fail. Let’s say that workstations are deployed with the option set to disable USB access. Now, over time, if not checked and enforced, this setting can change. Now, an employee, could insert a USB drive and potentially unleash a virus/trojan. With administrative policies in place that educate staff to not use USB drives for any reason, then even if the technical controls fail, the user training should help them to remember. Now, there is no completely effective control to help prevent an employee intend on doing something malicious, but as I stated previously, all things in layers.
Administrative controls I feel are very important when it comes to protecting an organization in regards to technical threats. When it to administrative controls it supports a defense in depth model. This model is a model that every organization should use in a layered approach. This will include physical security measures like bollards and security guards as well as technical controls as the layers get closer to the middle. This will allow only specific people with access and/or rights to access the most important information. An example for this would be physical access to a build, and then having a secured area where only select people could gain access to through a dead man door. Finally, there could be virus scanners, firewalls, and VPNs within the network to allowed technical controls to impeded the flow of data if needed. I think when you couple everything together you get a good idea as to why administrative control are important to help against technical threats. If you can’t gain access to the physical location with clearance and can’t gain access with out proper permission it will stop a lot of attacks in their place.
Administrative controls help protect from technical threats of cybercrime by setting policies, baselines, guidelines and standards that are defined by the organization’s security policy. These controls help in reducing the potential damage that an incident or event can have by making people more aware of security which can then change the behavior of people which can help in reducing the impact an incident or an event can possibly have or even avoiding it completely.
These administrative controls can range from security awareness programs, data classification and labeling, testing and vacation history etc. Security awareness programs provide employees with awareness and information about security. This aids employees in understanding what they should and should not be doing in their workplace and even in their personal lives to protect their organization as well as to protect themselves. Data classification and labeling is an essential administrative control as it classifies data based on its importance and impact to the organization. Employees should be aware of the type of data that they are dealing with, having data labeled makes employees pay more attention to the way they handle the data especially if that data is not unclassified. Another administrative control is vacation history, keeping track of when employees are on vacation typically helps in performing audits on those employees that are on vacation to check for any abnormal behavior.
As you can see these administrative controls mentioned above can help in protecting and reducing the technical threats that cybercrimes can pose on the organization.
Administrative controls give you as the security professional the ability to clearly outline and communicate security requirements. Administrative controls, as opposed to technical controls, describe an implementation or standard that is technology neutral. It also describes policies and procedures which do not require technological implementation, for example employee on-boarding rules.
Doing so leaves freedom to the staff to implement with the technology in mind that is used in your organization, which in turn results in a tailored security approach.