What Are Administrative Security Controls?

In any network security strategy, it’s important to choose the right security controls to protect the organization from different kinds of threats. Generally speaking, there are three different categories of security controls: physical, technical, and administrative. What’s the difference between administrative, technical, and physical security controls?

Knowing the difference between the various types of security controls is crucial for maximizing your cybersecurity. So, what are administrative security controls? Here’s a quick explanation and some advice for how to choose administrative security controls for your organization:

What Are Administrative Security Controls?

The Massachusetts Institute of Technology (MIT) has a guide on cybersecurity that provides a fairly easy to understand definition for administrative controls in network security. According to their guide, “Administrative controls define the human factors of security. It involves all levels of personnel within an organization and determines which users have access to what resources and information.”

Administrative security controls often include, but may not be limited to:

• Security education training and awareness programs;
• A policy of least privilege (though it may be enforced with technical controls);
• Bring your own device (BYOD) policies;
• Password management policies;
• Incident response plans (which will leverage other types of controls); and
• Personnel management controls (recruitment, account generation, etc.).

What’s the Difference between Administrative, Technical, and Physical Security Controls?

While administrative controls may rely on technology or physical controls for enforcement, the term is generally used for policies and procedures rather than the tools used to enforce them. For example, a BYOD policy is an administrative control, even though the security checkpoints, scanners, or wireless signal blocking tools used to enforce the policy would be physical controls.

Basically, administrative security controls are used for the “human factor” inherent to any cybersecurity strategy. They can be used to set expectations and outline consequences for non-compliance. Meanwhile, physical and technical controls focus on creating barriers to illicit access—whether those are physical obstacles or technological solutions to block in-person or remote access.

How to Choose Administrative Security Controls

When selecting administrative security controls (or any other kind of security controls), it’s important to consider the following:

1. The Expected Impact on the Organization. If the control is put into place, how may it affect your organization’s workflows? Will the control increase or reduce task times? What expenses will implementing the new policy incur?
   
   
2. Deployment of the Security Control. How will you deploy the new administrative security control to your organization? The deployment method should ensure that all members of the organization are aware of the new policies and the risks of non-compliance as efficiently as possible.
   
   
3. Does the New Administrative Control Clash with Existing Controls? When a new policy or procedure is introduced, will it clash with an existing one in some way? It’s important to test new administrative security controls and verify that they won’t cause complications—or, if they do, you know what the problem is so you can train your employees to overcome it.
   
   
4. Whether the New Security Control Provides a Reasonable Increase to Security or Compliance. If the security control does not help your organization meet some regulatory compliance standard or provide a verifiable increase to security, you may want to reconsider implementing it. While more security and better documentation of processes can be a good thing, spending money for no return on investment should be avoided.

Most of the administrative security controls mentioned earlier in this article should be useful for your organization. However, here’s one more administrative security control best practice to consider: You should periodically revisit your list of security controls and assess them to check what their actual impacts have been, and whether you could make improvements.

Need help selecting the right administrative security controls to help improve your organization’s cybersecurity? Reach out to the team at Compuquip for more information and advice.