“The condition of any control is unknown until a violation is attempted.” – InfoSec’s Schrodinger
According to the United States Government Accountability Office…
“The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the entity’s people; management’s philosophy and operating style; and the way management assigns authority and organizes and develops its people.”
The actions that individual workers take each day contribute to the overall control environment of an organization. Because of this, administrative controls are critical. They allow for development and ensuring of compliance with an organization’s procedures and policies, basically telling people what they must, can or cannot do. In addition to administrative controls, security can be established and upheld by technical controls through security-specific technology and systems to further manage enterprise risk.
Security controls, in administrative or technical form, are used to avoid, counter or minimize any potential loss of confidentiality, integrity or availability. However, before any security control is considered, an organization should first become security aware and understand very critical, preemptive and responsive approaches to securing their environments. It is especially important to focus on the internal controls, workers and their access privileges, as many threats can come from internal employees (whether it’s due to carelessness or malicious intent).
RES Software supports both preemptive and responsive measures and helps customers maximize the effectiveness of their security controls across both internal and external threats.
Deterrent – Controls set to provide warnings that can deter risk and potential violation or compromise.
Preventive – Controls set to stop violations of security policy before they occur.
This means compartmentalization of user, machine, location, device and even time. Preventive controls include access control enforcement and authentication. In RES Workspace Manager, this can be established by applying Locations and Devices, Workspace Containers, Access Control, Time Restrictions and, for administrative purposes, Administrative Roles.
Detective – Controls set to warn of security violations (or attempts) as they occur. Learning modes and Audit trails; both will give you an overview of what the user is doing, when, and from which device and location. RES Software has got ‘em and they’re perfect for establishing grounds for development of additional preventive controls.
Corrective – Controls set to remediate vulnerabilities. Restoring a backup for files or folders can just as easily be done for user settings. By retaining user settings from any number of previous sessions, an end user can be allowed to restore settings from any of those previous sessions.
Compensatory – Controls set to compensate for increased risk. For example, adding control steps to mitigate that risk before violations may occur, adding a time restriction to a user, adding a location or device to that combination, and much more. Every control added decreases the likelihood of unauthorized access.
Controlling and Mitigating Security Risks
The effectiveness and value of any control can only be measured at a given time based on the status-quo of the infrastructure. Any change made to the infrastructure may alter the level of protection and effectiveness of controls in place. It may even go as far as to unintentionally create new risks and vulnerabilities for which current controls are not sufficient in mitigating.
Periodic testing of implemented controls, to verify continual enforcement of security policies and consistent execution of procedures, should be embedded in administrative routines.
RES Workspace Manager and RES Automation Manager allow for setting, auditing and verification of the aforementioned control types, on a general (i.e. operating system, file system and network) as well as on application level. With the help of RES Software, organizations can put themselves in the best position to mitigate risk and quickly remediate threats to protect valuable corporate data and systems. This allows for a more systematic approach to improving the effectiveness of risk management, control and governance processes.