In our previous blog, we discussed the importance of physical security controls in implementing a defense in depth (DiD) strategy. We tackled what they are and provided specific examples.
In this second installment of a three-part blog series, we’ll zero in on administrative security controls.
What are administrative security controls?
Administrative security controls refer to policies, procedures, and processes that define personnel or business practices to protect company data and systems from unauthorized access, damage, or disruption.
While physical and/or technical controls may be used in enforcing administrative controls, the latter mainly targets the “human link” in the cybersecurity chain. In fact, according to the Massachusetts Institute of Technology, “administrative controls define the human factors of security. [They involve] all levels of personnel within an organization and [determine] which users have access to what resources and information.”
What are examples of administrative security controls?
The National Institute of Standards and Technology defines over 150 administrative security controls, including the following:
Security policies refer to requirements that are written in accordance with the company’s cybersecurity goals. These policies make it clear what is and isn’t allowed as well as what will happen if someone fails to comply with them. Examples of such security policies include:
- Password policy – explains why it is important to have strong and unique passwords, and how workers should use and protect those passwords
- Access control policy – determines who has access to which data or IT resources, what can be done with them, and when access is allowed
- Audit policy – determines how events occurring in the system will be logged, monitored, and reviewed to detect security incidents
- Data collection policy – explains the company’s practices for collecting, storing, and processing user data
- Data classification policy – outlines which types of data are considered confidential, private, or public and what procedures must be followed when accessing or sharing such data
- Data loss prevention policy – explains how workers should handle and secure sensitive or confidential data
- Acceptable use policy – establishes what types of activities are and aren’t allowed on the company network
- Email security policy – covers how email should be used and what precautions workers should take to avoid email-based cyberthreats like phishing scams
- Mobile device usage policy – provides guidance on the use of mobile devices in the workplace, such as how they should be secured and used safely
- Bring your own device policy – explains how approved personal devices used for work should be secured
Security procedures and processes
Security procedures and processes refer to the steps that need to be followed for security policies to be effective. These include the following:
- User onboarding and offboarding – ensures users have appropriate access rights when joining or leaving the organization
- User access management – outlines how users are authenticated, authorized, and tracked
- Security training and awareness – educates workers on security best practices and helps them understand cybersecurity threats and their responsibilities when it comes to protecting company data
- Data backup and recovery – outlines how to protect data from being compromised or lost
- IT audit – involves having a third-party security consultant assess the company’s current security protocols and provide recommendations for improvement
- Incident response – defines the steps the organization will take in the event of a security incident as well as the key personnel and their respective roles and responsibilities in dealing with such incidents
- Crisis management – outlines how the company will remain operational when a security incident or other crisis occurs
By using multiple administrative security controls, you can better ensure that your employees won’t be the weakest link in your company’s cybersecurity chain.
Watch out for the last installment of this three-part blog series where we’ll discuss technical security controls.
To learn more about implementing the DiD strategy, book a FREE consultation with Spectrumwise.