Administrative Controls

Administrative controls consist of approved written policies, procedures, standards and guidelines. Administrative controls form the basis for the selection and implementation of logical and physical controls. Logical and physical controls are manifestations of administrative controls. Some industry sectors have policies, procedures, standards and guidelines that must be followed – the Payment Card Industry (PCI) Data Security Standard required by Visa and Master Card is such an example. Other examples of administrative controls include the corporate security policy of Gramm-Leach-Bailey (GLB), which pertains to financial records maintained by brokerages, banks, lending institutions, and credit unions.

GLB addresses the need for CIA over the financial records of consumers, and it outlines specific obligations that must be taken by these institutions to protect the data associated with such records.

Due care policies identify the level of care used to maintain the confidentiality of private information. The objectives of due care policies are to protect and safeguard customer and clients records.

These organizations help craft due care diligence obligation for organizations, mandate the creation of Administrative Controls to protect the private personal information of consumers, and define the private property of a consumer and a company.

They inform people on how the business is to be run and how day to day operations are to be conducted. One of the leading ways to handle due care policies is to implement best practices.

Information security is the ongoing process of exercising due care and due diligence to protect information, and information systems, from unauthorized access, use, disclosure, destruction, modification, or disruption or distribution. The never ending process of information security involves ongoing training, assessment, protection, monitoring & detection, incident response & repair, documentation, and review. This makes information security an indispensable part of all the business operations across different domains.

How does the absence of Administrative Controls impact corporate liability?

Protection of information resources requires a well-designed set of administrative controls. A lack of administrative controls suggests that management is negligent in understanding its responsibility to protect the information system. Administrative controls have positive and negative effects. Encryption, for example, protects confidentiality, but it also takes time and introduces key management issues. When selecting controls, you have to consider the full impact. If the negligence contributes to theft, loss, or aid of a crime, this would constitute a lack of due diligence on the part of management.

Administrative process controls outside the computer system should be clearly documented, enforced and regularly exercised. For instance, while entering data to create a new record in a material system database’s item master table, the only internal control that the system can provide over the item description field is not to allow the user to leave the description blank – in other words, configure item description as a mandatory field.

An effective information security program incorporates a combination of technological and human controls in order to avoid the loss of information, deter accidental or intentional unauthorized activities, prevent unauthorized data access, detect a loss or impending loss, recover after a loss has occurred, and correct system vulnerabilities to prevent the same loss from happening again (Parker, 1984).

How do Administrative Controls influence the choice of Technical and Physical Controls?

Top of FormBottom of FormAdministrative controls formalize standards, rules, procedures, and the control disciplines to ensure that the organization’s general and application controls are properly executed and enforced. Protection of information resources requires a well-designed set of controls. Computer systems are controlled by a combination of general controls and application controls.

In the Information age upon us, understanding risk is an important element in deciding on the protection mechanism selected to protect information. Information security professionals are challenged with management of assets and other obstacles that make it difficult to implement the appropriate controls. An array of tools and technologies can help firms protect against or monitor intrusion. Technical controls include tools for authentication, firewalls, intrusion detection systems, antivirus software, and encryption. Tools and methodologies are also available to help firms make their software more reliable. Some of the easiest, most effective and least expensive controls are physical controls. Physical controls include lock on doors, guards at entry points, backup copies of important software and data, and physical site planning that reduces the risk of natural disasters.

It is imperative to remember that Information security is the preservation of secrecy and integrity in the storage and transmission of information. Whenever information of any sort is obtained by an unauthorized party, information security has been breached. Breaches of information security can be grouped into five basic classes: (1) interception of messages; (2) theft of stored data; (3) information sabotage; (4) spoofing (i.e., using stolen information to pose as somebody else); and (5) denial of service (i.e., deliberate shutdown of cash machines, electric-supply grids, air-traffic control networks, or the like).

I do believe that the implementation of policies such as Issue-Specific policy and program policy through Administrative controls can mitigate issues surrounding technical and physical controls.

How would the absence of Administrative Controls affect projects in the IT department?

Firms need to establish an appropriate organizational and managerial framework for security and control to use technologies effectively to protect their information resources. An IT project has a minimum chance of surviving without the presence of Administrative controls. An unbounded system can be composed of bounded and unbounded systems connected together in a network. Although the security policy of an individual bounded system cannot be fully enforced outside of the boundaries of its administrative control, the policy can be used as a yardstick to evaluate the security state of that bounded system. Of course, the security policy can be advertised outside of the bounded system; but administrators are severely limited in their ability to compel or persuade outside individuals or entities to follow it.

Policies and procedures play an important role in the effective implementation of enterprise-wide information programs within the federal government and the success of the resulting security measures employed to protect federal information and information systems. As a result, organizations must develop formal, documented policies and procedures governing the minimum security requirements standard and must ensure their effective implementation through Administrative controls.