Administrative Controls
How Administrative Controls Demonstrate Due Care
Administrative controls are the policies that an organization’s management team prepares in order to communicate their intent for controlling the organization’s information system to the rest of the organization (Mickler, 2009). These policies allow the management team to manage by discipline and principle and they also serve as guidelines for the implementation of the physical and technical controls that would be necessary for protecting the system.
In particular, administrative controls are used to exercise due care in that they are used for protecting the organization’s information and information systems from unauthorized disruption, modification, destruction, disclosure, use, and access (Ajibuuwa, 2008). Examples of such policies include password policies and the restriction of access to the computer server rooms to certain members of the IT staff. In addition, administrative controls are used for ensuring that information security systems, policies, and processes are regularly reviewed and documented and that there are regulations for incident response and repair, as well as for the detection and monitoring of information security risks and breaches and the protection and assessment of the information systems. Moreover, administrative controls can be used for ensuring that employees are provided with trainings regarding the information systems and the security policies that come with their use.
These would be in conformance to the definition that Harris (2003) provided for due care, which is that “due care are steps [. . .] taken to show that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees."
How the Absence of Administrative Controls Impact Corporate Liability
The absence of administrative controls will have a negative impact on the organization’s corporate liability, as the organization’s management team has not implemented the security measures to protect the organization’s data and resources. Without these administrative controls, an organization can be held liable for any breach in security. According to statistics, security breaches have caused financial losses amounting to about ten billion dollars in the U.S. alone (“Computer Security,” 2012). Moreover, these security breaches usually result from the damage caused by natural disasters, fire, and malfunction; the electronic surveillance of external parties on the organization’s corporate data; the fraudulent activities and unauthorized financial transactions that are made in the company’s name; the employees’ incorrect use of confidential information and computer resources; the network overloads caused by malicious mass e-mailing; the theft and infiltration of corporate data by external hackers; and the spread of computer viruses.
It is clear that many of these security breaches are caused by the improper behaviors of employees or by a poorly implemented IT infrastructure. Administrative controls can be used to correct these discrepancies, and with these controls in place, all organizational members are accorded certain levels of accountability, which would encourage everyone to be more vigilant with regards to the protection of the organization’s information and information systems.
How Administrative Controls Influence the Choice of Technical and Physical Controls
Administrative controls influence the choice of technical and physical controls in that administrative controls define the security controls that are required for sufficiently mitigating the risks that can result from the use of information and information systems for achieving the organization’s mission and objectives (National Institute of Standards and Technology, 2009).For example, administrative controls can be used to identify whether preventive or detective controls are needed. Preventive controls are controls that are intended to prevent the occurrence of unwanted incidents whereas detective controls are controls that are used for identifying the unwanted events after their occurrence (“Section 1-1,” n.d.). Moreover, the administrative controls can include guidelines for the planning and implementation of the security controls and also defines the grounds for confidence or the level of assurance, which would indicate the effectiveness of the security controls’ application.
Still, the administrative controls would include guidelines for business processes that may influence the choice of the technical and physical controls to be implemented. For example, if the organization has a 24-hour operation then they may choose to install security alarm systems on the floors that operate at night. In addition, if administrative staff members are not allowed to access the development servers then a more rigid user authentication system might be implemented for the development servers to ensure that only the developers are allowed access to them.
How the Absence of Administrative Controls Affect Projects in the IT Department
The lack of administrative controls can lead to delays in the completion of the projects as extra time and resources will be spent on addressing security breaches such as computer viruses or computer damage. Even when the IT project does get completed, it may still be exposed to security threats. Examples would be employees being able infiltrate the system and obtain confidential information. Moreover, there are some projects that the management team may want to keep confidential until they are completed. However, without administrative controls, this can be difficult to implement, especially when rumors easily spread across the organization. As well, without administrative controls, it can be difficult to trace accountability should any problem occur during the project’s development phase.
References
Ajibuwa, F. O. (2008). Data and information security in modern day businesses. Retrieved from
http://www.aiu.edu/publications/student/english/Data%20and%20Information%20Securit
y%20in%20Modern%20Day%20Businesses%20thesis.html
Computer Security. (2012). Reference for Business: Encyclopedia of Business (2nd ed.).
Retrieved from http://www.referenceforbusiness.com/encyclopedia/Clo-Con/Computer-
Security.html#b.
Harris, Shon (2003). All-in-one CISSP Certification Exam Guide (2nd ed.). Emeryville,
California: McGraw-Hill/Osborne. ISBN 0-07-222966-7.x.
Mickler, R. P. (2009, November 7). The five biggest IT mistakes committed by small business.
Retrieved from http://www.micklerandassociates.com/the-five-biggest-it-mistakes-
committed-by-small-business/
National Institute of Standards and Technology (2009, August). Recommended security controls
for federal information systems and organizations. NIS Special Publication 800-53.
Retrieved from http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/
sp800-53-rev3-final.pdf
Section 1-1: Access Control Principles and Objectives. (n.d.). Retrieved from
http://www.cccure.org/Documents/HISM/003-006.html