If the mitigation of risk is the central focus of Information Security, Controls are the primary tools to achieve this goal. A control is any device or process that is used to reduce risk. Keep in mind - our goal as managers of Information Security and operational risk is not to eliminate all risk for the business. Perfection is unachievable, since operational risk stems from the frailties of human nature and acts of god – neither of which can be completely controlled. Instead, our goal in designing and implementing controls is to reach a balance between achieving an acceptable level of risk for the business (minimizing losses) and an acceptable level of expense (minimizing the resources necessary to manage those risks). For this reason not all processes or tasks require the same level of controls to mitigate the risk to an acceptable level. The risk from a process failure may be so slight or the controls for other components within the process may provide adequate protection such that no additional controls are necessary. Conversely, some controls are required regardless of the risk, such as regulatory requirements.

Since each business has limited resources, controls ideally should be limited to those mandated by policy, law or regulation or where the risk of loss is greater than the cost of the control. If the cost to the business from a failed control is minimal or non-existent, you should consider whether the control is necessary.

The other aspect to consider is whether the control is efficient and effective. Consider the need to protect check stock. To prevent internal fraud, the business might implement a control that all checks require dual signature, but that control will not prevent an employee from forging one or both of the signatures. To prevent forgery the checks could be locked in a secure cabinet, however that will not prevent an authorized signatory with a key from removing a check, signing it and forging the other signature. A solution would be to use a cabinet that requires two keys for access and the implementation of a process that the authorized signatories need to sign the checks in the presence of the other authorized signatory. Alternative solutions would be to use an armed guard to protect the checks on a 24X7 basis, train all employees in ethical behavior or implement technology that would replace all payments with electronic transfers. As can be seen in this example, there are a multitude of potential controls that could be used. Assuming that the risk from forged check is significant, it is clear that a simple locked cabinet or ethics training are not effective controls. Conversely, the risk is typically not significant enough to warrant the expense involved with an armed guard.

Controls can be broken down into three types:

  • Administrative - These are the laws, regulations, policies and standards that dictate how operational risks should be addressed within the business units. In effect, a law or policy states the maximum permissible operational risk that a business may assume. A policy may provide that passwords must be at least six characters in length. A business may implement the policy by setting a more rigorous standard of seven character passwords, but the policy does not permit the business to take on the additional risk of five character passwords.
  • Logical - These are the virtual or technical controls used to ensure that processes are followed. A policy may require that significant processes have some form of maker/checker or segregation of duties to ensure the integrity of the data and minimize the possibility of unauthorized activity. To implement this policy, the business may use logical controls such as a function within an application that requires that a manager indicate review and approval of a check request (maker/checker) before the payment can be processed.
  • Physical - These are the physical controls, such as locks, security cameras and guards, that are used to minimize the risk of loss. For example, the policy maker/checker policy requirement could be met, in part, by locking the check stock in a file cabinet and giving the key to a person who is not part of the check request process. That person would review the check request and indicate approval by unlocking the cabinet and providing the checkbook for processing.

A detailed discussion of laws/regulations and logical and physical controls is beyond the scope of this site. The following pages provide an overview of writing good policies and procedures.

©2009 ISRMC, LLC