Preventive Administrative Controls
Preventive administrative controls are management policies and procedures designed to protect against unwanted employee behavior, including,
- Separation of duties
- Business continuity and DR planning/testing
- Proper hiring practices
- Proper processing of terminations
Separation of duties
Most positive business outcomes are the result of properly executed processes. When a single individual performs all steps in a process, that person has the opportunity to perform an intentional or unintentional act that may compromise the confidentiality, integrity, or availability of data. Fraud is also easy to commit.
To eliminate or mitigate opportunities for unwanted behavior, separate each process into discrete tasks. Divide these tasks between two or more individuals. This creates an environment in which intentional wrongdoing requires collusion. There's also a better chance that mistakes will be caught as the process moves from one set of eyes to another.
Business continuity and disaster recovery planning/testing
Business continuity activities help protect the availability of your information assets. Included in these activities are incident response and disaster recovery processes designed to prevent security incidents from having a major impact on your business.
Proper hiring practices
Since the majority of security incidents are caused by the action or inaction of your employees, hiring the right people is a key administrative control. Two hiring practices help secure business information - background and reference checks.
Background checks might simply consist of a simple phone call to local law enforcement for a records check. If an employer believes a more comprehensive check is required, there are online services that quickly perform national checks on prospective employees. The granularity of the check, and the magnitude of the security cost the business is willing to absorb during the hiring process, should depend on the sensitivity of the information for which the potential employee will be responsible.
It's common practice for managers to conduct reference checks on potential new hires. However, these checks often deal only with the person's ability to perform. Performance assessments are sufficient if the data the person is to process daily has little value to the organization, or if management is willing to accept the potential risk. However, if the prospective employee is to regularly process sensitive or business critical information, there are two additional reference checks the employer should consider--character references and credit checks.
Checking character references is a good way to determine whether a person can be trusted. Does the person consistently make commitments on which he follows through? Present and former employers may not be the best sources for this information. Law suits due to character-based comments made by managers about former employees have resulted in a large number of organizational policies against providing this kind of information. So you should include a request for non-employer references as part of the employment application process.
Credit checks are another way to determine if a person is right for an open position. A credit check is not necessarily performed to determine if someone is susceptible to bribery; although this is important information if your organization possesses one or more trade secrets critical to your competitive advantage. Another important reason to perform a credit check is to determine the maturity of the individual and her willingness to accept responsibility. You can tell quite a bit from a credit report in which it's obvious that a person is consistently late attending to financial obligations, or doesn't attend to them at all.
Proper processing of terminations
During a person's employment with your organization, you might give him access to various information resources. In addition, you might issue him keys, badges, etc. When he leaves, the person processing his termination should follow a well documented process for removing his logical and physical access to all business assets, including your data.
It isn't always easy to remove all data access rights from an employee who is leaving. Disabling or deleting operating system accounts is the easy part. It's finding all application and remote access accounts that may bypass operating system security that presents the greatest challenge. If your organization is small, I recommend maintaining a spreadsheet with a row listing each employee, which contains the applications to which she has access and the login ID for each application listed. Remember that the content of this spreadsheet is sensitive data. As a minimal safeguard, you should password-protect the spreadsheet file. A better solution is to purchase an inexpensive encryption program to encrypt the file.
Larger companies may want to consider an Identity and Account Management solution. As the number of accounts increases, the cost of tracking and managing the location of accounts increases. The typical result of a manual solution is a long list of stale accounts in various applications. In addition to each of these accounts becoming a potential "gotcha" during an audit, they pose a significant risk to your organization. They contain passwords that never change. They also provide former employees with the means to access your information assets.
Finally, ensure employees terminated for cause are not left alone within the physical limits of your organization after you inform them of their employment status. An employee terminated for cause should be escorted to his desk, watched as he packs his personal belongings, and escorted off the premises. Remove access to the network during the termination meeting. Most employers for whom I've worked provided notice to Security ahead of the termination discussion. Relevant accounts were disabled before the terminated employee left his manager's office. Finally, inform the security officers responsible for facility physical security to deny future access to the terminated individual.