As an Information Security professional, how do administrative controls, such as policies, procedures, frameworks, help protect you from the technical threats of cybercrime?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Vincent Piacentino says
Policies are important because incidents and breaches cost the organization mucho dinero $$$. As we all know by this point, employees are by far the weakest link. Employees share their passwords, they click on phishing URLs and attachments (even after repeated training), and neglect to encrypt sensitive files (thank you DLP for looking out for us). Policies specify the rules on how employees, consultants, vendors, etc. interact securely with systems in the organization are held accountable for neglect. The policy also lets us know who the stakeholders are and their responsibilities. Examples are acceptable use policies, remote access policies, VPN policies, and email encryption policies.
Procedures provide comprehensive documented processes to walk employees through what they need to do to undertake the requirements to keep the organization safe and secure. This also helps the organization be audit ready and shows that its due diligence is sound.
Frameworks provide a common systematic methodology for managing cybersecurity risk. At its core, it includes activities to be featured in a cybersecurity program that can be personalized to meet any organization’s needs. In addition, a framework is designed to complement, not replace, cybersecurity systems and the risk management process. An organization can also identify areas where their existing procedures may be improved, or where new solutions can be applied.
https://www.sans.org/information-security-policy/?&category=
https://www.nist.gov/cyberframework/online-learning/uses-and-benefits-framework
Jerry Butler says
Administrative controls are the foundations for a company to conduct its business. Polices are guidelines that give guidance to employees to perform a task. Policies outline and drive the postures of a business and how they conduct business.
Frameworks give overarching methodology behind how a company decided policy, conduct, and business goals.
When both framework and policy align, it helps drive technical competency, checks and balances around controls, and protects the company from cybercrime threats.
Vanessa Marin says
Policies also help implement controls around regulation and compliance. Without policies, procedures and frameworks it is hard to prove to an auditor that you are compliant with laws and regulations depending on which industry the business is in.
Mei X Wang says
Hi Jerry, I agree with your point as well. Administrative controls are built and implemented from the top down management. Upper management must play a part in ensuring compliance of them company-wide to lead and train their employees. With proper enforcement of controls, policies, and frameworks, that’s how the company can best protect their assets.
Mei X Wang says
Administrative controls can help us protect against technical controls because policies, procedures, and frameworks serve as a guideline on industry best practices. The framework can serve as a guide for organizations to safely build their security architecture and helps the organization stay up to date with regulatory compliance. Not only does it help maintain compliance, but it can also serve as a deterrent for cybercrime. For example, an administrative control that creates an access control policy outlines concepts such as user access reviews, least privilege, segregation of duty, password configuration can all work hand in hand to help protect an organization from cybercrime.
Administrative controls serve as a way for top-level management to protect the organization. By having these best practices, we can mitigate the technical threats by monitoring, detecting, and preventing threat actors from entering our system. If a threat actor is able to infiltrate, an organization with policies to perform quarterly access reviews will be able to discover this compromised account, quarantine the infected, and revoke its access before spreading throughout the network.
Krish Damany says
Hi Mei,
I agree with your assessment. Having administrative controls determining policies on a consistent basis allows for organizations to keep up with the current technologies and security measures to adopt, and mitigate chances of breaches or exploits. Of course, just having administrative controls isn’t a be all end all approach, and should be supplemented by both technical and physical controls to create a more secure organization overall.
Krish Damany says
In most situations of a breach or an attack on a company, the weakest point of entry is usually opened up by people. An organization can have the best security and technology in the world, but all it takes is one phishing email to shut a system down from the inside. Having administrative controls in place, while not a fool-proof method of stopping attacks, can help aid in the prevention of an attack from occurring. For example, editing the group policy setting for employees is a good way to prevent unauthorized access to certain directories within an organization, so in the event of a breach and depending on the level of authority of the employee, parts of the system will still be out of reach for attackers. Even management policies could be helpful in determining what types of content is and is not allowed to be browsed upon company equipment. Rules in place such as these will go a long way in mitigating risk of breach in organizations.
Mei X Wang says
Hi Krish, I agree with your analysis, the weakest point of entry is usually opened up by people. No matter how much automation or how advanced technology becomes, the organization can still trip up over something as simple as not enforcing its password policy. With the recent cyber attacks such as Solar Winds, we should heed the warning that no matter how big the company is, it only takes one mistake to infiltrate their systems.
Rudraduttsinh says
Hi Krish,
I agree that people are the weakest link in cybersecurity. Having administrative control provides and guidance to the company in the time of any unwanted happening. Moreover, however, each employee will manage their systems in their own idiosyncratic way without guidance, leading to unmanageable “graveyards.”
Rudraduttsinh says
New risk emerges every hour of the day. Just connecting to the internet opens the possibility of a hacker targeting your organization: policies, IT Governance, Procedures, and framework plays and critical role. Administrative controls ensure that the systems are not misused. Also, policies and procedures should be reviewed and updated to reflect the current risks. Procedure and other documentation establish a plan to mitigate the risk of key people being unavailable in the event of a system failure. Further, establish a plan to mitigate the risk of key people being unavailable in the event of a system failure.
Vanessa Marin says
You bring up an excellent point Rushi!
All the policies and procedure can be written up and even implemented but if they are not periodically reviewed for relevance, changes and impacts to the business then you may as well have never written a policy at all.
Without such reviews policies get outdated due to changing technologies, business goals and many more variables.
Vanessa Marin says
Policies, procedures and frameworks set the baseline threshold to help protect against technical threats. They set the process in motion by defining scope, steps to take and business processes to consider. Well drawn out policies and procedures are also enforceable and hold people accountable. They explain the need for technical controls and who should decide what controls are needed and what they are intended to protect. They also set a timeline for which systems need to be monitored or evaluated.
Frameworks and standards such as NIST, COBIT and COSO help support policies by setting an industry standard and best practices. These guidelines aren’t required but given the repercussions of cyber attacks, data breaches and their related consequences serves as incentive for private businesses to implement such frameworks.
Administrative controls work in conjunction with technical controls to harden and help mature a SOC or IT infrastructure. Policies and procedures approved by the business help set the priorities of IT professionals. Afterall, it is in the best interest of the enterprise to have a close relationship between the business and IT. Aligning the two is the best way to protect an enterprise from cyber attack.
Vanessa Marin says
I just recently became aware of GxP regulations and guidelines now that I’m working in Pharma. I don’t think there’s a more regulated industry! I’ve seen policy after policy and am now in charge of the risk register and controls matrix. The amount of controls in place are directly driven by policies and guidelines! And compliance/legal/risk is heavily involved in every technology.!
Krish Damany says
Hi Vanessa,
I also think the combination of administration controls with technical controls is essential. One really depends upon the other to strengthen both control methods. Having administrative controls is good as a baseline to make sure that employees in an organization know certain policies and procedures, but the technical controls provides a safety net to make sure that those policies and procedures administrative controls is attempting to enforce.
Brian Schneider says
Regulatory controls can assist us with ensuring specialized controls since arrangements, methodology, and structures fill in as a rule on industry best practices. The system can fill in as a guide for associations to securely construct their security design and helps the association keep awake to date with administrative consistence. In addition to the fact that it helps look after consistence, yet it can likewise fill in as an obstacle for cybercrime. For instance, an authoritative control that makes an entrance control strategy traces ideas, for example, client access surveys, least advantage, isolation of obligation, secret phrase design would all be able to work inseparably to help shield an association from cybercrime.
Regulatory controls fill in as a path for high level administration to ensure the association. By having these prescribed procedures, we can moderate the specialized dangers by observing, distinguishing, and keeping danger entertainers from entering our framework. On the off chance that a danger entertainer can invade, an association with strategies to perform quarterly access surveys will actually want to find this undermined account, isolate the contaminated, and repudiate its entrance prior to spreading all through the organization.
Vanessa Marin says
Oops.. I meant to comment to you and not to myself… lol reposting here!
I just recently became aware of GxP regulations and guidelines now that I’m working in Pharma. I don’t think there’s a more regulated industry! I’ve seen policy after policy and am now in charge of the risk register and controls matrix. The amount of controls in place are directly driven by policies and guidelines! And compliance/legal/risk is heavily involved in every technology!
Eugene Angelo Tartaglione says
Having policies in place help set a good foreground for your company and allow users to have a sense of the culture of the company. In addition to this, policies help give a guidance to the employees of the company regarding security. For example, an acceptable use policy in place for an organization will let the employees have an understanding of what they can and cannot do regarding sharing the organizations information, what sites they can browse on their work machines, etc. Having this in place along with an onboarding procedure of security training for employees can really help cut down on the human aspect of cybercrime by limiting potential human related vulnerabilities the company may face.
Amelia Safirstein says
In order to protect against cybercrime, organizations should implement technical, administrative, and physical controls. Technical controls alone will not suffice. Policies and procedures help to ensure that people within the company use technology properly and allow the technical controls to work properly. For example, access control is not useful if the owner of a privileged account shares their password with everyone they meet. Frameworks allow the people within a company to set up technology and technical controls in a way that makes them effective. Without securing the human/business side, the technology alone will fail against cybercrime.