Administrative Security Controls Assessment

An Administrative Security Controls Assessment consists of a thorough review of the administrative controls employed by the organization. Administrative security controls are those controls meant to govern the behaviors of people.

Common administrative security controls found is organizations are:

• Policies
• Standards
• Procedures
  
• Training
  
• Awareness
  

The administrative security controls review consists of:

• A review of all documented policies, processes, and procedures,
  
• Interviews with key personnel to determine the effectiveness of existing administrative controls (documented and undocumented).

Metrics are assigned to each control and aggregated to create a “Risk Rating”. The metrics used are:

• Level of Effectiveness (“LOE”) - a measure of control quality and maturity,
  
• Likelihood of an adverse event or threat, and
  
• The potential Impact suffered by the organization
  

Administrative Controls

The administrative security controls assessment includes a comprehensive and objective review of all documentation, processes, and practices used in the management of information security. The analyst will use the controls found in ISO 27002 (17799:2005), NIST, and others for comparison, gap analysis, and risk rating.

As an example; the scope of ISO 27002 (17799:2005) includes:

• Security Policy Management
  
• Organizational Security Management
  
• Organizational Asset Management (physical, software, and information)
  
• Human Resources Security Management
  
• Physical and Environmental Security Management
  
• Communications and Operations Management
  
• Information Access Control Management
  
• Information Systems Security Management
  
• Information Security Incident Management
  
• Business Continuity Management
  
• Compliance Management
  

NOTE: Administrative controls are subjective to the organization and are not included in a guide.



Contact us for more information or to request a quote.