Free Essay

Administrative Controls

In:

Submitted By taz10050
Words 1204
Pages 5
| Administrative Controls | | | Administrative controls are basically directives from the senior management that provide the essential framework for the organizations security infrastructure. Administrative controls consist of the procedures that are implemented to define the roles, responsibilities, policies and various administrative functions that are required to manage the control environment as well as necessary to oversee and manage the confidentiality, integrity and availability of the organizations information assets. Administrative controls can range from very specific to very broad and can vary depending on the organizational needs, particular industry, and legal implications. Administrative controls can generally be broken down into six major categories which include operational policies and procedures, personnel security, evaluation, and clearances, security policies, monitoring, user management, and privilege management. Ultimately, the senior management within an organization must decide what role security will play within the organization and define the security goals and directives.
Due care by definition is the care that an ordinary and reasonable person would take over their own property or information. An example of this would for a person to place documents that contain sensitive information such as social security cards, passports, etc. in a locked safe within their home. This measure is taken to ensure that only those individuals with authorized access can obtain those documents and view the sensitive information. Due care is a legal concept that is used to assist in determining the level of liability in a court of law. If it is determined that due care was taken then the probability of being found negligent and therefore being held liable for an incident taken place is much lower. Administrative controls key to the practice of due care. As stated in the previous paragraph, administrative controls are the essential framework for the organizations security infrastructure provided by senior management. Under the Federal Sentencing Guidelines, senior officials can be held personally liable if their organization fails to comply with any applicable laws and exercise due care. Through the application of administrative controls, senior management is able to set policies and procedures that outline how the organization will protect its informational assets. This in turn will provide guidance on the various methods that can be used from technical implementations, physical access to end user training that will be used to ensure the protection of the organizations information.
When the senior management within an organization fails to implement any form of administrative controls, they fail to set the necessary framework required to protect the organizations information. This failure on the part of the senior management not only opens the organization for liability issues, but also members of the senior management as they can be help personally liable for failure to take the necessary steps to ensure the protection of the information under their control. By failing to implement any form of administrative controls within the organization, then any security framework would cease to exist. Without this security framework, the necessary steps that are required to protect any information cannot be taken, therefore there is a lack of due diligence which therefore translates to a lack of due care. So since due care is a legal concept that is used to assist in determining the level of liability in a court of law, when there is a lack of due care then the organization and their senior managers can more than likely would be held fully liable for any and all damages that result from any incident that would take place.
Since administrative controls are the essential framework for the organizations security infrastructure they play an extremely important role in the choice of technical and physical controls that are put in place. For example, in the military where information has different classifications the requirements to have access to that information both physically and technically differ than information of a lower classification. How the information is classified and the requirements for access to various levels of classification are outlined by senior officials in administrative controls. Unclassified information, which can be accessed and obtained by everyone, has different technical and physical controls in place verses information that is classified as Secret or Top Secret. Without these administrative controls being defined by senior officials, the various types of information would not be able to be placed into a classification category such as unclassified, classified secret or classified top secret and the appropriate access controls, both physical and technical, could not be implemented to control access to the information.
The absence of administrative controls even impacts the various projects within the IT department. The reason that the absence of these controls impacts projects is that any project within the IT department touches and or manipulates organizational data. Since administrative controls contain policy and procedures defined by senior management on how organizational data will be secured, the absence of such policies and procedures means that there is no framework in place to provide guidance on how security will play a role or be impacted by any project. An example of how administrative controls affect an IT project would be the collapse and consolidation of a datacenter. As organizations look at ways to cut costs, many organizations look toward the concept of virtualization. Although relatively expensive to implement, the long term savings on equipment, power and cooling are quite considerable. However, going to a consolidated or collapsed datacenter that is virtualized provides some unique security challenges in and of itself. With information being consolidated and roles and responsibilities begging to cross, the lack of administrative controls makes it extremely difficult to define the lines or boundaries necessary to implement an effective security plan in the new environment. Although securing the data is a small portion of the overall project, not having a clear and concise understanding of the security needs to ensure that the organizational data is protected will stop the project in its tracks. This concept is not only true in the situation that I have outlined, but also true for any project that would take place in the IT department. Without definitive guidelines on how organizational data is to be protected it is impossible to ensure that any project initiated will be able to implement the proper technical and physical controls needed to protect the organizational data.
As we can see from the previous paragraphs administrative controls are truly the foundation of security for any organization and without the proper foundation, it is virtually impossible to implement any form of security within an organization. Much like a house or building must have a foundation to start from in order to be built properly, so to must organizational security. If the house or building is built without the proper foundation it will be unstable and fail. The same concept applies to security within an organization. When no administrative controls are clearly defined any other aspects of the organizations security are bound to fail due to the lack of appropriate guidance and support from senior management.

References

F.Tipton, H. (2010). Official (ISC)2 Guide to the CISSP CBK, Second Edition. Boca Raton, FL: Auerback Publications.
Harris, S. (2010). CISSPAll-in-One Exam Guide, Fifth Edition. New York, NY: McGraw-Hill.
Miller, L., & Gregory, P. H. (2010). CISSP for Dummies. Hoboken, NJ: Wiley Publishing.

Similar Documents

Premium Essay

Administrative Controls

...January 17, 2015 SEC578 Keller Grad School Of Mgmt   How do Administrative Controls demonstrate “due care”? To better answer this question lets define “Administrative Controls” and “Due Care.” Administrative Controls can be the defined as direction or exercise of authority over subordinate or other organizations in respect to administration and support, including control of resources and equipment, personnel management, unit logistics, individual and unit training, readiness, mobilization, demobilization, discipline, and other matters, while Due Care is the degree of care that a person of ordinary prudence and reason (a reasonable man) would exercise under given circumstances. With this understanding we can see that Administrative Controls establish the ground work for an employee to understand and be able to do their job in accordance to the company’s policies and procedures. Administrative controls consist of approved written policies, procedures, standards and guidelines. Administrative controls form the basis for the selection and implementation of logical and physical controls. Logical and physical controls are manifestations of administrative controls. Some industry sectors have policies, procedures, standards and guidelines that must be followed – the Payment Card Industry (PCI) Data Security Standard required by Visa and Master Card is such an example. Other examples of administrative controls include the corporate security policy of Gramm-Leach-Bailey (GLB)...

Words: 2056 - Pages: 9

Premium Essay

Administrative Controls

...Week 2: Administrative Controls SE578 – Prof. Joseph Constantini By David Truong (D00571438) 1/18/2013 Table of Contents How do Administrative Controls demonstrate “due care?” 3 How does the absence of Administrative Controls impact corporate liability? 3 How do Administrative Controls influence the choice of Technical and Physical Controls 4 How would the absence of Administrative Controls affects prigects in the IT department 4 Summary 5 Reference 6   How do Administrative Controls demonstrate "due care?" Administrative Controls are guidelines that is set up by management in order to meet the standard that shows that how he company has taken precaution to prevent malicious intent as well as prevention against malicious intent. The controls that are implemented must show a degree in which the process is common and assist in the fortifying the company’s ability to prove its willingness to take action on correcting weaknesses within the company. This idea is also known as “due care.” They must include controls that contribute to individual accountability, ability to audit, and separation of duties. Administrative Controls can be identified with two specific category: detective administrative controls and preventative administrative controls. Ultimately, the purpose of Administrative Controls is to show that the company has taken the necessary precaution, the “due care,” to protect the confidentiality, integrity and availability...

Words: 896 - Pages: 4

Premium Essay

Administrative Controls

...Administrative Controls Paper 1. How do Administrative Controls demonstrate "due care?" Administrative controls demonstrate “due care” because they are controls that meet a standard considered reasonable by most organizations that share similar backgrounds or work environments. Administrative controls that meet the standard of “due care” generally are easily achievable for an acceptable cost and reinforce the security policy of the organization. They must include controls that contribute to individual accountability, auditability, and separation of duties. Administrative controls define the human factors of security and involve all levels of personnel within an organization. They determine which users have access to what organizational resources and data. Administrative controls can be broken down into two categories: preventive administrative controls and detective administrative controls. Preventive administrative controls are techniques designed to control personnel’s behavior to assure the confidentiality, integrity, and availability of organizational information. Some examples of preventive administrative controls are: security awareness and technical training, separation of duties, disaster preparedness and recovery plans, terminating and recruiting procedures, and user registration for computer access. 2. How does the absence of Administrative Controls impact corporate liability? The absence of administrative controls will have a negative impact on corporate liability...

Words: 902 - Pages: 4

Premium Essay

Administrative Controls

...How do Administrative Controls demonstrate “due care?” First, the definition of “due care” is the care that a reasonable man would exercise under the circumstances; the standard for determining legal duty. In the case of an information system, due care is a legal yardstick used to examine whether an organization took reasonable precautions to protect the Confidence, Integrity, and Availability (CIA) of an information system in a court of law. Organizations use Administrative Controls whereas management creates policies, standards and guidelines as well as a training and enforcement programs to ensure that the policies, standards and guidelines are being followed in order to protect the CIA of information within their information system. A lack of administrative controls suggests that management is negligent in understanding its responsibility to protect the information system usually contributing to theft, loss, or aid of a crime. How does the absence of Administrative Controls impact corporate liability? I feel that the absence of Administrative Controls would have a negative impact on corporate liability. If an organization handles Personal Identity Information (PII), whether personal, financial, or medical, they are legally responsible for the safe keeping of this information. Not having administrative controls in place to safeguard this information, an organization could be held liable should theft, loss or aid of a crime occur. Legislative actions such as the Gramm-Leach-Blailey...

Words: 591 - Pages: 3

Free Essay

Administrative Controls

...Administrative Controls How do Administrative Controls Demonstrate Due Care Administrative controls entail several items including procedures, written policies, specific principles, guidelines, and trainings that are established to control the actions of individuals. Administrative controls actually classify the human factors of security and encompass every level of personnel within a company. This is how access is decided for every user; it’s based on the needs of the business. In terms of due care, this is a reflection of responsibility a company has taken for their actions within their company to provide the necessary protection. Due care is evident through specific controls established to confirm management is cognizant of the activities in their company. For example, I work for a healthcare company and controls are set in place to block all social networking sites from being accessed on the company network. This provides protection for the employees from accessing non-company related materials and it decreases the company’s chances malicious activity caused by accessing those sites. We also participate in employee trainings, which is also considered an administrative control. This is considered due care because we are trained to understand policies and procedures. When we start all training sessions, there are forms we have to complete stating that we are entering a specific course and we receive documentation at the end of the training session to reflect we...

Words: 1040 - Pages: 5

Premium Essay

Administrative Control Paper

...This sample template is designed to assist the user in performing a Business Impact Analysis (BIA) on an information system. The template is meant only as a basic guide and may not apply equally to all systems. The user may modify this template or the general BIA approach as required to best accommodate the specific system. In this template, words in italics are for guidance only and should be deleted from the final version. Regular (non-italic) text is intended to remain. 1. Overview This Business Impact Analysis (BIA) is developed as part of the contingency planning process for the {system name}{system acronym}. It was prepared on {insert BIA completion date}. 1.1 Purpose The purpose of the BIA is to identify and prioritize system components by correlating them to the business process(es) the system supports, and by using this information to characterize the impact on the process(es) if the system were unavailable. The BIA is composed of the following three steps: 1. Determine business processes and recovery criticality. Business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum that an organization can tolerate while still maintaining the mission. 2. Identify resource requirements. Realistic recovery efforts require a thorough evaluation of the resources required to resume business processes and...

Words: 1287 - Pages: 6

Premium Essay

Administrative Law

...LAW 443 ADMINISTRATIVE LAW I NATIONAL OPEN UNIVERSITY OF NIGERIA SCHOOL OF LAW COURSE CODE: Law 443 COURSE TITLE: Administrative Law I 1 LAW 443 ADMINISTRATIVE LAW I Course Code: Course Title: Course Developer/Writer: Administrative Law I Law 443 Simeon Igbinedion, LL.B., LL.M., B.L., PH.D., Faculty of Law, University of Lagos. Professor Animi Awah Ifidon Oyakhiromen, LL.B, LLM, M.Phil, Ph.D, BL Course Editor: AG. Dean,/Programme Leader: Course Coordinator: Mr. Ayodeji ige, LLM, BL 2 LAW 443 ADMINISTRATIVE LAW I COURSE GUIDE CONTENTS PAGE Introduction ……………………………………………………………………….. 1 What You Will Learn in this Course …………………………………………….... 2 Course Aims ………………………………………………………………………. 3 Course Objectives ………………………………………………………………… 3 Study Units ……………………………………………………………………….. 3-4 Tutor-marked Assignment ……………………………………………………....... 4 References/Further Reading ……………………………………………...……. 4 3 LAW 443 ADMINISTRATIVE LAW I Introduction Consider a situation where your residential property in which you have lived for decades has been demolished by the authorities of the FCT, or the Lagos State Ministry of Environment for allegedly being located in an industrial area. Suppose some customs officers at a checkpoint found you in possession of items which they claim to be contraband and, therefore, seized pursuant to the new Customs policy of zero-tolerance of goods likely to endanger the economic growth or contribute to the...

Words: 42593 - Pages: 171

Free Essay

How to Find a Proposed Regulation

...How to Find a Proposed Regulation:   ASSIGNMENT QUESTIONS: 1a. Make sure you submit a copy of your proposed regulation as an attachment to the Dropbox with this template. The Dropbox allows you to attach multiple documents in the same submission. (5 points) 1b. Identify the administrative agency (full name, not just the acronym) which controls the regulation. Briefly explain why this agency and your proposed regulation interests you. If this proposed regulation will affect you or the business in which you are working, please explain how. It is not required that the proposed regulation affect you professionally or personally. You can use any regulation for this assignment so long as you are able to answer the questions posed here (Questions 1-5). (10 points) Answer: Centers for Disease Control and Prevention (CDC) - This specific agency, and proposed regulation, is of particular interest to me because of my past and future courses of study. My MPH degree was in public health with a concentration in disaster/emergency management so I want to ultimately aide in the education of my community to prevent communicable diseases. In the meantime, while working with medical students and clinical training sites, I am partially responsible for the health clearance of all of the students to ensure that they are able to do their clinical without risk of unnecessary exposure to harmful contagions. 2. Describe the proposal/change in your own words. (10 points) Answer: Influenza...

Words: 1143 - Pages: 5

Premium Essay

Week 2 Homework

...State the administrative agency which controls the regulation. Explain why this agency and your proposed regulation interests you (briefly). Will this proposed regulation affect you or the business in which you are working? If so, how? The administrative agency that controls this regulation is the Alcohol Tobacco Firearms and Explosives Bureau (The ATF), whose parent agency is the Department of Justice. This agency and its proposed regulation interests me because I am a supporter of the second amendment and I am opposed of any regulations that seek to limit the second amendment. I do not own any firearms, nor do I expect to receive any firearms in the immediate future, but my fiance’s father owns many firearms and, in the future, when he passes away, those guns are likely to be transferred to her and this legislation will affect that transfer by requiring the receiver of those firearms to verify that they are a “responsible person” This regulation will not affect the business in which I am working. That business is Verizon Wireless, which does not deal in any firearms (at least to my knowledge). I am interested in this subject from a purely academic point of view. Describe the proposal/change. This regulation would require a person legally receiving a firearm (ostensibly someone receiving it as a gift or as part of an inheritance) to prove that they are a “responsible person”, furthermore this “responsible person” would have to complete a form and submit photographs and...

Words: 796 - Pages: 4

Premium Essay

Week 2 Assignment Lgl Poli Ethcl Dimns of Busn.Docx

...1. State the administrative agency that controls the regulation. Explain why this agency and your proposed regulation interest you (briefly). Will this proposed regulation affect you, or the business in which you are working? If so, how? Submit a copy of the proposed regulation along with your responses to these five questions. The proposed regulation can be submitted as either a separate Word document (.doc) or Adobe file (.pdf). This means you will submit two attachments to the Week 2 Dropbox: (a) a Word document with the questions and your answers, and (b) a copy of the proposed regulation you used for this assignment. (10 points) The administrative agency that controls the specific regulation that I select is, “Office of the Secretary, Department of Defense (DoD).” Regulation: Child Development Programs (CDPs) ACTION: Interim final rule. This agency and the proposed regulation interest me because of my time spent in the military. While serving my country for I had seen many different changes take place due to new regulations imposed to the military by the DOD. In this case, the regulation is one that would have affected me if I was still in. CDP’s are of critical importance to the men and women that serve our country. Knowing that are government is attempting to increase the current level of assistance is gives CDP’s would be a big win for the government and the children and parents that will be impacted. 2. Describe the proposal/change. (10 points) The proposed...

Words: 1249 - Pages: 5

Free Essay

Administrative Law Introduction Recap

...WHAT IS ADMINISTRATIVE LAW? Broadly, AL might be defined as the legal control of govern’t More narrowly, AL consists of those legal principles at define the authority and structure of administrative agencies, specify the procedures agencies must follow, determine the validity of administrative decisions and define the role of reviewing courts and other organs of govern’t in relation to a.a. Each particular field of regulation has its corresponding substantive and procedural law. AL as such deals with the general principles and rules that cut across the particular substantive fields and apply t a.a. generally. These principles include 3 basic bodies of law: (1) constitutional law; (2) statutory law, including above all the APA; (3) a form of federal com mon law, embodied in judicial decisions that do not have a clear constitutional or statutory source. REGULATION Aa are engaged in regulation. Regulatory agencies develop and enforce prohibitions or obligations with which private firms and/or individuals must comply (some agencies aren’t regulatory, but benefactor: they’re engaged in disbursing govern’t benefits). PROBLEMS THOUGHT TO CALL FOR (ADMINISTRATIVE) REGULATION One can imagine a govern’t without agencies, but no govern’t can avoid “regulation”. The common law is in fact a regulatory system, although outside the definition set out above: it depends on the creation and enforcement , by law, of a set of rights, notably those creating private property and enforceable...

Words: 1898 - Pages: 8

Premium Essay

Administrative Law

...Dorothy Scroggins GM520 - Week 2 Assignment Administrative Law Assignment SEP10 1. State the administrative agency which controls the regulation. Explain why this agency and your proposed regulation interests you (briefly). Will this proposed regulation affect you or the business in which you are working? If so, how? I chose the Department of Public Safety, Division 45: Missouri Gaming Commission, Chapter 5: Conduct of Gaming. One of the many benefits Casinos love to share is that money from their profits will go to a public school fund. 2. Describe the proposal/change. The Gaming Commission is proposing an amendment to 11 CSR 45-5.051, Minimum Standards for Blackjack. The amendment will allow a floor supervisor (Pit-Boss) may direct the dealer to shuffle the cards after any round of play is completed and all wagers have been resolved. It won’t affect me directly but depending on how the Pit-Boss uses this internal control method, it could help or harm the Fund that is generated for Public Schools. Shuffling the cards in the middle is a deck is used to stop the current momentum. If the player(s) at the table are hot then this can break a streak that is cutting into the Casino’s profits. In this case it’s a win for the Public School Fund. 3. Write the public comment which you would submit to this proposal. If the proposed regulation deadline has already passed, write the comment you would have submitted. Explain briefly what you wish to accomplish with your...

Words: 669 - Pages: 3

Free Essay

Gm454

...Week 2 Homework Help 1. State the administrative agency which controls the regulation. Explain why this agency and your proposed regulation interests you (briefly). Will this proposed regulation affect you or the business in which you are working? If so, how? Submit a copy of the proposed regulation along with your responses to these five questions. The proposed regulation can be submitted as either a separate Word document (.doc) or Adobe file (.pdf). This means you will submit two attachments to the Week 2 Dropbox: (1) a Word doc with the questions and your answers and (2) a copy of the proposed regulation you used for this assignment. (10 points) Interstate Commerce Commission (ICC) regulated interstate surface transportation between 1887 and 1995. This interests me because of the changes of transportation. Yes, it does affect me because they are doing price controls and entry controls on the collective vendor’s price setting in the United States transportation. 2. Describe the proposal/change. (10 points) It is regulated through varies transportation modes starting with the railroad industry and later the trucking and airline industry. 3. Write the public comment which you would submit to this proposal. If the proposed regulation deadline has already passed, write the comment you would have submitted. Explain briefly what you wish to accomplish with your comment. (10 points) Deregulation—freeing up the trucking market to permit much more flexible pricing and service...

Words: 269 - Pages: 2

Free Essay

Mgm520-Wk2 Homework

...Week 2 Homework – Administrative Law Assignment State the administrative agency which controls the regulation. Explain why this agency and your proposed regulation interest you (briefly). Will this proposed regulation affect you or the business in which you are working? If so, how? Submit a copy of the proposed regulation along with your responses to these five questions. The proposed regulation can be submitted as either a separate Word document (.doc) or Adobe file (.pdf). This means you will submit two attachments to the Week 2 Dropbox: (a) a Word document with the questions and your answers and (b) a copy of the proposed regulation you used for this assignment. (10 points) Department of Health and Human Services – Food and Drug Administration As an independent pharmaceutical representative currently contracted with a company who manufactures, markets and samples prescription drugs for colds, coughs and allergies this will have a significant impact on my prescription product line. 2. Describe the proposal/change. (10 points) The proposal will no longer allow the marketing, production, distribution and or sell of unapproved FDA prescription drugs for colds, coughs and allergies. 3. Write the public comment that you would submit to this proposal. If the proposed regulation deadline has already passed, write the comment you would have submitted. Explain briefly what you wish to accomplish with your comment. (10 points) My comment is that although these drugs...

Words: 953 - Pages: 4

Free Essay

Markets and Non Markets

...Deregulation, 4. Intellectual Property Protection 5. Human Rights 6. International Trade Policy 7. Regulation & Anti-trust 8. Activist Pressures 9. Media Coverage of Business 10. Corporate Social Responsibility & 11. Ethics Management & Managers is both responsible for formulating and implementing nonmarket as well as market strategies. Market Environment determines significance of nonmarket issues to the firm. Nonmarket Environment shapes opportunities in the marketplace. Market Environment Nonmarket Environment a) Competitive a. Competitive b) Performance is determined by competition among firms as directed by their market or competitive strategies. b. Legislation, regulation, administrative...

Words: 1536 - Pages: 7