Administrative Controls
Administrative controls are based on rules, laws, policies, procedures, guidelines, and other items that are “paper” in nature.
- dictate how the users of you environment should behave
- are managerial
- Must have the ability to enforce these controls
- if not, they are worse that useless because the create a false sense of security
- when you accept, avoid, or transfer risk, you’re likely using administrative controls
- Must document administrative controls and provide evidence they are being followed
- e.g., information security policy