📖 What is Administrative Control?
Administrative Controls are management-level policies, procedures, and guidelines designed to define the organization's security posture. These controls focus on the human element, such as security awareness training, hiring practices, and employee handbooks.
"When you see 'policy' or 'training' in a question, you are dealing with administrative controls, not technical or physical ones."
📚 Certification: Certified Information Systems Auditor (CISA)
🔑 What are the Key Concepts of Administrative Control?
- ▸ Security Policies: High-level statements of management intent that provide the legal and organizational foundation for all other security controls and directives.
- ▸ Standard Operating Procedures: Detailed, step-by-step instructions that ensure operational consistency and provide a measurable baseline for auditors to test compliance.
- ▸ Personnel Security: Controls including background checks, onboarding/offboarding processes, and mandatory vacations to mitigate insider threats and detect fraudulent activity.
- ▸ Security Awareness Training: Educational programs designed to reduce human error and ensure employees can recognize and report threats like social engineering.
- ▸ Governance Frameworks: The overarching management structure that aligns security controls with business goals and regulatory requirements through formal oversight and review.
🎯 How does Administrative Control appear on the CISA Exam?
You may be asked to identify the most effective control for reducing the risk of social engineering, where the correct answer is an administrative control like a security awareness program.
A scenario might describe a failure in employee offboarding leading to unauthorized access; you will need to identify the missing administrative control, such as a formal termination procedure.
Expect questions where you must distinguish between a technical control, such as a firewall, and an administrative control, such as an Acceptable Use Policy, when addressing a specific risk.
❓ Frequently Asked Questions
How do administrative controls support technical controls?
Administrative controls provide the authority and mandate for technical controls. For example, a password policy defines the requirements that the system's password complexity settings must technically enforce.
Is a visitor sign-in sheet a physical or administrative control?
The requirement to maintain a visitor log is an administrative control (a procedure). The actual physical logbook is the medium, while the lock on the door is the physical control.
Why is mandatory vacation considered an administrative control?
It is a management-mandated procedure designed to detect fraud. When an employee is away, their duties are performed by others, making it difficult to conceal illicit activities.