Once you have identified your risks, determined which cannot
be accepted, and decided that avoiding them or transferring some of them to
someone else is not possible or desirable, the last step in the risk decision
process is deciding how to mitigate them.
Mitigating a risk means either by reducing the probable frequency of
occurrence of the loss event (don’t store gasoline in the file room), or
reducing the likely amount of damage if the loss event occurs (have fire
extinguishers), or both.
A control is something
you do to mitigate a risk. The problem
for the risk manager is that there are so many controls to choose from –
hundreds – and they all have their advocates.
Sometimes the advocates are people in your own organization, maybe
engineers enamored of one defensive technology or another. Sometimes they are regulators, because
regulations may encourage or mandate specific controls. Often they are vendors of technologies or
services that claim to have certain risk mitigation benefits. But before getting into the minutiae of
controls, it’s well to survey the landscape.
Although there are various taxonomies for controls, the most
useful one describes what the organization does to implement the control. Seen this way, controls fall into three
groups: administrative, physical, and
technical. Like the Three Musketeers,
they are all needed and they reinforce each other. All for one, and one for all.
Administrative
Administrative controls are ones you implement by taking
administrative actions. (That was
helpful, wasn’t it?) They are best
described by examples. Policies,
procedures, standards and guidelines are issued by management, usually and best
in writing, to guide or constrain the behavior of workers. They often include procedures for background
checks, disciplinary and termination procedures, confidentiality agreements,
and acceptable use rules. Training is
another good example.
Advantages of administrative controls are that they are
often relatively quick, easy, and inexpensive to implement. Need a policy on background checks? Just write it, get the VP of HR and CEO to
agree, and tell the HR staff to do it.
Written administrative controls can also be very useful to demonstrate
management commitment, which is important to auditors and regulators, so long
as there is evidence that management is truly supportive.
The main disadvantage of administrative controls is that
they are often hard to implement completely and effectively. You can have a policy that all passwords be
at least 8 characters long, but making sure this is actually done without some
technological enforcement is quite a different matter. So the main criticism of administrative
controls is that they are unreliable, and so require constant follow-up, which
can be expensive and annoying to all concerned.
Nevertheless, administrative controls have their place, and
in fact are essential since all controls must be supported by management to be
effective, and controls derive from policies issued by management.
Physical
Physical controls are generally about restricting physical
access to or protection of personnel, facilities and physical assets (as
opposed to logical assets like information).
They include locks and keys, guards, CCTV cameras, fences, burglar
alarms, and fire escapes.
Physical controls are commonplace so people are used to them
and accept them. Many kinds of physical
controls are either customary (fences), mandated by regulation (fire
extinguishers) or required for insurance (proximity to a fire station), so
budgeting and implementing them usually do not meet much resistance.
But physical controls can be expensive (seismic
reinforcement in earthquake country) and tend to be inflexible. Once you build a masonry wall, you can’t move
it. Physical controls also often have an
administrative element (security guards have to be managed), and may not work
without it (CCTV cameras are no good if nobody’s watching).
Physical controls are just as essential as administrative
ones. There is no logical security
without physical security. If anyone
could get into your data center, your days would be numbered.
Technical
Technical controls, or what are sometimes called logical
controls, constitute the vast majority of what people normally think of as
information security, and they are what makes people think that cyber security
is only an “IT thing.” There is a vast
and thriving industry of technological control vendors: firewalls, intrusion detection systems,
identity access systems, monitoring, logging – the list is endless. The profusion of options is both a blessing
and a curse. There are many to choose
from but qualifying solutions and coming up with an efficient, synergistic
combination can be challenging.
Technical controls tend to be strong where administrative
and physical controls are weak. Properly
implemented and administered, they are much more consistent and reliable than
administrative controls. And since they
are inevitably software-controlled, they are more flexible and adaptable than
many physical controls.
Then again, technical controls have their weak points. They need to be implemented correctly and appropriately
to the local situation. They need to be
managed, updated, maintained, and watched.
That requires trained staff. You
are not protected just by having a firewall.
It needs to have a good set of rules.
So the cost of implementation, management and maintenance need to be
considered along with purchase price.
As with administrative and physical controls, there is no
getting around the need for technical controls either. After all, information security is all about
computers and networks.
All for One, One for
All
It is hard to imagine an environment, even the simplest, in
which all three types of controls are not needed. There is no logical security without physical
security. There no technical and few
physical controls that do not depend on administrative controls. And there is no dependable security at all
unless management has communicated its expectations in policies. Each type of control is both essential and
depends on the others. All for one, one
for all.