As an Information Security professional, how do administrative controls, such as policies, procedures, frameworks, help protect you from the technical threats of cybercrime?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Kelly Sharadin says
In order for an enterprise security program to truly be successful, security has to be adopted globally. Administrative controls help enforce the adoption of security best practices. For example, an acceptable use policy sets the expectations for employees regarding how they use and interact with technology within the organization. An acceptable use policy can help limit improper use of software and hardware that could inadvertently expose the organization to threats. At the strategic level applying NIST’s risk management framework can support the organization’s prioritization efforts of protecting crown jewels by adequately allocating the necessary resources to reduce risk. Lastly, procedures can assist organizations in standardizing security best practices so that security scales with the business.
Tal Eidenzon says
Hi Kelly!
At the end of the day, organizations are people, and with so many breaches resulting from employee error or lack of security awareness, having strong policies and enforcement, supplemented with training and internal auditing is vital for success.
Thanks,
Tal
Antonio Cozza says
Good point, Tal. Employees are the number one root cause of data breaches especially lately, as we consistently see examples of footholds gained through simple negligence and ignoring basic security best practices and principles which should be driven from the top down through things like administrative policies, frameworks, and procedures.
Anthony Wong says
Kelly,
Great examples on how administrative controls can influence protection from technical threats. I would add that policies need to be need to be communicated by executives to portray to the employees that security is an important aspect to take seriously in order for the company to be successful in reaching its business goals and objectives.
Mitchell Dulaney says
Hi Kelly – you’re absolutely right to point out that a successful security program must be adopted across the entire organization, and administrative controls are the method by which that can be assured. Without administrative controls that are documented and used to inform security processes across a company, each business unit would have the freedom to implement their own technical and physical controls haphazardly, and the overall security posture would suffer as a result.
Vraj Patel says
Administrative controls such as policies, procedures, and frameworks provide an organization with a guideline to achieve a security goal of an organization. Policies could help establish the responsibility of the end-user in achieving the security through policies such as acceptable use policy. There are different types of policies that could be implemented to protect the organization from any technical threats such as Password Policy, Data Protection Policy, and Security Awareness Training Policy. While the policy provides a guideline, the procedures include a step on competing or processing a particular task. The framework outlines how a secure system or application should be developed.
Kelly Sharadin says
Hi Vraj,
Nice summary, I agree its important for an organization to establish security goals especially since its difficult for other business units to understand the value security brings to the organization. By defining goals, creating roadmaps and measuring outcomes security professionals become more integrated with the organizaton as opposed to be siloed.
Kelly
Mitchell Dulaney says
Administrative controls enable the implementation and enforcement of other types of controls, including the technical controls that are required to defend against cybercrime attacks. While technical controls must ultimately be implemented to mitigate the risks posed by cybercriminals, administrative controls are the backbone that give certain staff in an organization the necessary authority to put those technical controls in place. Without administrative controls, there would not be anyone designated as responsible for cybersecurity, there would not be any policies dictating which controls should be implemented, and there would not be any internal consequences for a failure to utilize the correct technical controls. Administrative controls also include procedures and guidelines; without these components of an information security management system, the security operations staff would not have official directives regarding how the organization’s technical controls should be configured and maintained. It’s administrative controls that give senior management the peace of mind that their security program is functional.
Kelly Sharadin says
Hi Mitchell,
Great call out regarding cybersecurity responsibility. I often have large consulting projects where the client places too much emphasis on tools to solve their incident response needs. I try my best to steer them more towards adopting better procedures and guidelines that are independent of any particular name brand because utlimately thats how investigations are conducted. Further by hiring the right personnel with the appropiate skillsets organizations are better equipped to defend their networks than solely relaying on tools.
Kelly
Antonio Cozza says
Administrative controls like policies, procedures, and frameworks play a crucial role in defending against cybercrime at the organizational level. They all help in implementing and driving the direction of technical and physical controls as well, adding different levels and means for security throughout an organization. Well-written policies can steer an organization in helping understand and choose how to secure different information systems as required by the policy for the given organization in accordance with any relevant regulations. Procedures help the organization adhere to the policies laid out for protecting information systems and, in effect, combating cybercrime by decreasing attack vectors. Lastly, frameworks provide a means of best practices for different security considerations.
Mohammed Syed says
Also, Conduct security awareness training, and from the technical perspective to verify the vulnerable patch system and use multi-factor authentications. Used Antivirus software and used an Intrusion Detection System (IDS).
Kyuande Johnson says
Great Points Mohhamad
Implementing a Cyber Security Awareness training program should be a goal in every organization. Ensuring that users are aware that their actions can pose threats to the organization is essential. A good Cyber Security Awareness Training program should include: How to detect and report phishing, best practices regarding password creation and storing, Utilizing public Wifi, Etc. The purpose of Cyber Security Awareness Training is to change human behavior. Which significantly reduces the attack surface of an organization
Tal Eidenzon says
Hi Kyuande,
It’s an artform to present security awareness training in such a way as to not be met with sighs of boredom and disappointment. In several organizations that I’ve been a part of, the trainings were a mandatory checkmark, so the content was irrelevant. But correctly done, they can save an organization millions.
Thanks,
Tal
Vraj Patel says
Hello Antonio,
That’s a great post. Also, I agree that policies could drive the direction of the technical and physical controls. Technical controls could be implemented to identify the controls to protect the systems and likewise the physical controls can be implemented to protect the physical facilities that are critical to the business operations such as data center.
Kyuande Johnson says
Humans are the weakest link in an organization. Due to their capabilities of intentionally or unintentionally compromising an organizations confidential data. Humans can be persuaded and tricked into opening a suspicious link in an email. Which can cause great damage to an organization. Ensuring that users have Cyber Security Awareness training can significantly reduce the attack surface of an organization. Security Awareness training educates users on their responsibility to protect the confidentiality, availability, and integrity of their organization’s information. It assists users on how to detect malicious emails and how to properly report phishing.
Shubham Patil says
I do agree that humans are the weakest link in the security chain. It is important to consider the specific vulnerabilities that people present in the system. Though there are many ways to exploit the human in the loop, there are three that correspond to the bulk of the attacks, Social engineering, Social networks and Passwords.
Antonio Cozza says
Good points, K. I agree that humans are and likely always will be the weakest source of security and biggest risk to an organization; people tend to choose what is easier for them, even if that means reusing a simple password on all accounts, without considering that may be a source of risk to organizational and personal security. Security awareness training is a good administrative implementation to reduce and mitigate some of this risk presented by employees.
Anthony Wong says
Antonio,
As you mentioned, one of the most important aspects of information security is understanding the value of the data we are protecting. A data classification policy can help enterprise’s determine how valuable the data is, which influences what types of technical controls that would be implemented to protect the data.
Mitchell Dulaney says
Hi Antonio – You make a good point that administrative controls can include a variety of corporate documents that inform the implementation of technical and physical controls. While the other two controls are thought of as doing the “heavy lifting” of actually preventing cyber crime, the organization’s policies, procedures, and guidelines are key to effectively implementing those other control categories.
Shubham Patil says
As the book mentions, The first piece to building a security foundation within an organization is a security policy. It is management’s responsibility to construct a security policy and delegate the development of the supporting procedures, standards, and guidelines; indicate which personnel controls should be used; and specify how testing should be carried out to ensure all pieces fulfill the company’s security goals. These items are administrative controls and work at the top layer of a hierarchical access control model.
In my opinion, the technical threats of the cybercrime can be protected by testing these administrative controls, which are mostly implemented through polices. Finally, after we have enough empirical data to assess our posture, we discuss how to report our findings and how those findings play into the executive decision making within the organization.
Mohammed Syed says
Additional security controls to help continuous monitoring, enforcement, and Prevent phishing, besides the acceptable use of policy management control.
Oluwaseun Soyomokun says
Great point Shubham, it is important for an organization to have a clearly defined policy and enact the policy and a good policy secures not only the organizational data and systems, but also individual employees and the entire organization with security best practices. It also acts as a powerful decision statement about the organization’s dedication to security.
Tal Eidenzon says
As an Information Security professional, how do administrative controls, such as policies, procedures, frameworks, help protect you from the technical threats of cybercrime?
There are countless threats in today’s world. As it is often explained, the greatest vulnerability in any organization comes from within; it is the human element. Policies and procedures “encourage” safe practices of employees within the organization.
The frameworks are what provides the guidance of drafting the policies and procedures.
Thanks,
Tal
Vraj Patel says
Hey Tal,
That’s a great point. Human element does provide a greater vulnerability now a day as the cyber-attacks is increasing such as phishing attacks. Implementing a policy could be a great start on mitigating that risk as the policy would identify the requirements for implementing the security trainings.
Oluwaseun Soyomokun says
I agree with both points. Human perceived weakness and sometimes negligence cause great harm to company’s asset with the rise of threat actors willing to capture and exploit the vulnerabilities gaps from human error. To protect important company assets, the future of cybersecurity is in the hands of sophisticated technology and processes. However, trust is the most critical aspect of any cybersecurity operation.
Mohammed Syed says
Administrative Security indicates to organization’s policies, procedures, and guidelines that define employees or business practices by Organizations. The strategies that examine and enforce administrative control are Management control and Operational Controls. Security controls that focus on the Management of risk and the Management of information system security. Operational controls are primarily implemented and executed by persons as different from systems.
Shubham Patil says
Hi Mohammed,
The Risk assessment team must evaluate the security controls’ functionality and effectiveness. Security control must make a good business sense, meaning it is cost effective and hence requires cost/benefit analysis.
Mohammed Syed says
I completely agree with you. However, I mentioned the Administrative security initial process.
Oluwaseun Soyomokun says
Administrative controls are necessary for enforcing other types of controls, such as the technical controls needed to guard against cyber-attacks assaults. Typically, the first section of a cybersecurity policy outlines the organization’s broad security expectations, roles, best practices and obligations. It provides information about roles and responsibilities, proper information protection practices, and enforcement actions if controls are not followed.
Technical controls protect valuable information from misuse or unlawful access.
To defend, detect, and respond to prospective and real security breaches and occurrences, most businesses require a combination of technical controls to function together.
The use of active and passive asset discovery technologies to update the inventory, vulnerability screening, and monitoring for illegal access to assets and data are just a few examples of technical controls connected to asset management.
Shubham Patil says
Hi Oluwaseun,
Controls are put into place to reduce the risk an organization faces. Administrative controls are commonly referred to as “soft controls” because they are more management oriented. Technical controls are software and hardware components, as in firewalls, IDS, encryption, and identification and authentication mechanisms. Physical controls are items that put into place to protect facilities, personnel, and resources.
Kyuande Johnson says
Administrative controls are implemented to change the behavior of people. In every organization, humans are the weakest link. Policies, procedures, frameworks, and training assist organizations in reducing the impact of malicious threats. Policies ensure that organizations set the standards of behavior. It also outlines what employees must do or not do. Procedures are guidelines to assist users in getting their job done. Implementing procedures prevents employees from getting lost when performing job duties. Frameworks are a collection of best practices that an organization should follow to manage its cybersecurity risk. Training, educates users on their responsibility to protect the confidentiality, availability, and integrity of their organization’s information.
Shubham Patil says
Hi K,
What do you think are some common challenges when designing a security policy? Information security policies are meant to keep your organization’s data safe. However, designing effective information security policies is far from easy. Rapid evolution of technology poses fresh threats every day and most policies need to be implemented across a multi-user organization.
Mitchell Dulaney says
Hi Kyuande – Administrative controls spell out explicitly what the policies, procedures, and guidelines are that the organization must follow when it comes to cyber security. As you point out, when these components of the security program are defined and enforced, it mitigates a variety of risks posed by humans inside and outside the enterprise.
Anthony Wong says
Administrative controls are vital to any organization’s success. Policies are corporate law that all employees should follow and helps create a culture for security within the enterprise. The board of directors or C-suite executives need to communicate this message to everyone to set the tone about the importance of security. As a result of this, the policies can help protect against technical threats within the cyber landscape. An example of this is communicating how to identify phishing attempts.
Mitchell Dulaney says
Anthony, I think you’re correct to describe security policies as corporate law, and for pointing out that senior management’s responsibility is to adhere to that law and enforce it across the organization. Policies, procedures, and guidelines are the tools used to build the overall information security management system, and when company executives wield those tools effectively the rest of information security tends to perform well.