If the mitigation of risk is the central focus of Information Security, Controls are the primary tools to achieve this goal. A control is any device or process that is used to reduce risk. Keep in mind - our goal as managers of Information Security and operational risk is not to eliminate all risk for the business. Perfection is unachievable, since operational risk stems from the frailties of human nature and acts of god – neither of which can be completely controlled. Instead, our goal in designing and implementing controls is to reach a balance between achieving an acceptable level of risk for the business (minimizing losses) and an acceptable level of expense (minimizing the resources necessary to manage those risks). For this reason not all processes or tasks require the same level of controls to mitigate the risk to an acceptable level. The risk from a process failure may be so slight or the controls for other components within the process may provide adequate protection such that no additional controls are necessary. Conversely, some controls are required regardless of the risk, such as regulatory requirements.
Since each business has limited resources, controls ideally should be limited to those mandated by policy, law or regulation or where the risk of loss is greater than the cost of the control. If the cost to the business from a failed control is minimal or non-existent, you should consider whether the control is necessary.
The other aspect to consider is whether the control is efficient and effective. Consider the need to protect check stock. To prevent internal fraud, the business might implement a control that all checks require dual signature, but that control will not prevent an employee from forging one or both of the signatures. To prevent forgery the checks could be locked in a secure cabinet, however that will not prevent an authorized signatory with a key from removing a check, signing it and forging the other signature. A solution would be to use a cabinet that requires two keys for access and the implementation of a process that the authorized signatories need to sign the checks in the presence of the other authorized signatory. Alternative solutions would be to use an armed guard to protect the checks on a 24X7 basis, train all employees in ethical behavior or implement technology that would replace all payments with electronic transfers. As can be seen in this example, there are a multitude of potential controls that could be used. Assuming that the risk from forged check is significant, it is clear that a simple locked cabinet or ethics training are not effective controls. Conversely, the risk is typically not significant enough to warrant the expense involved with an armed guard.
Controls can be broken down into three types:
A detailed discussion of laws/regulations and logical and physical controls is beyond the scope of this site. The following pages provide an overview of writing good policies and procedures.
©2009 ISRMC, LLC