The third blog in our TRAC series, is the often misunderstood and more often reviled, “Administration”. Now before you click away from this blog to watch a “Fri-yay” cat-video, I promise that this post will be worth your while.
Glad that you are still reading! Administration is one of the most important aspects of organizational information security. It is not that administration in and of itself will necessarily bolster your cybersecurity posture, but it can certainly influence it. More importantly, well written policy can save your organization countless dollars. Now I know I have your attention, so let’s get down to brass tracks.
If we are looking at compliance, proper security administration is very valuable indeed. Many security standards require a substantial amount of documentation surrounding the requirements therein, sometimes up to 60%. While this may seem like bureaucracy, there is a reason and method to this madness.
Most information security or cyber security standards require significant administration because it is a behavioral control. People are ultimately are the ones being protected by information security. I will say that again, information security is simply a derivative of risk mitigation which ultimately only exists to protect human interests which sometimes even includes lives. To neglect addressing human behaviors in any form of risk management would leave out at least half of the equation. More specifically, good administration of information security requires writing of policy and procedure that not only lays out what is required and forbidden, but what is acceptable behavior as well.
Finally, good policy and procedure are also a cushion in the event of legal proceedings surrounding an information security incident. Logs, accounts of auditing, documents substantiating adherence to regulatory statutes, all can show due care and proper diligence in handling sensitive documents. When in place, proper administration will protect the organization and separate its intents and self-authorized actions from that of insider threats or rogue actors. In some cases, the administrative requirements an organization imposes on itself can even completely absolve it of certain liabilities in a court of law (see Ohio Law).
Requirements and legal obligations vary from organization to organization and place to place. No matter what way you slice it, from informing members of an organization on acceptable security practice, to establishing diligence and care when handling sensitive documents, administration is one of the most important aspects of an information security program, and can be one of the most effective ways to reduce information risk.