Administrative controls are as important as any other type of control.

19 06 2012

In our days in which the digital information is being transmitted and processed by tons and is one of the most important assets for every company, the information security has developed a huge variety of control systems that try to protect the information.

I believe that the most complex system without policies, guidelines and training will not avoid information leaks. Those last administrative controls are as much as important as any other control device implemented to protect the information assets.

The principle of easiest penetration according to Charles and Shari Pfleeger on Security in computing, states that any system is most vulnerable at its weakest point1. I agree with this principle, and I also believe that one of the weakest points of every system is people.

There has been several stories in which the people that are working for a company, makes an error intentionally or unintentionally and filters information to another organization that makes it public and causes losses to the business or reputation of that company. Some other cases workers that terminate the relationship with a company also filter information. There was an example that came to my mind because it was a trend topic in the news some days ago, below the story:

Currently Mexico lives elections times. We will be choosing a new president. We are in the time prior to the elections where the presidential candidates present to the people their proposals for the new government, but in this time there are also notes on the communication media that do not talk good things about them, trying to change the mind of the voters. This is the case of one of the candidates that has been blamed to have contracts with Televisa (one of the most important TV companies in Mexico) to fabricate a good image to him by a favorable coverage. If this is true, this is of course illegal, because the contracts happened when the candidate acts as Governor. Few days ago, The Guardian2 made public a note in which reveals that US diplomatic were concerned about the supposed relationship between Televisa – Peña Nieto (Candidate) during 2009. According to the Guardian3, they have access to documents in which US diplomats were reporting the fact that the now presidential candidate was paying for favorable TV coverage while he was governor of Mexico state during 2009.   The Guardian according to the note posted on their website, had access to outlines of fees, detailed media strategy, and payments arrangements. The most important part is that according to that note, the Guardian had access to those documents from a source that worked with Televisa, in form of excel spreadsheet files and power point files.

I bring this example to support my point about that the people is one of the most important weakness of a security system. Therefore it is very important to implement Administrative controls like Policies, Standards, Procedures and Guidelines. All the users of the information have the responsibility to understand the importance of information security and their role in protecting the company assets.

You can design a very huge and complex security system, but at the end, the people generate and modify information and have access or privileges to read or modify the information. Therefore it is important to invest in training, to make aware the people about the importance of the information and the damages they can cause if the information is filtered. The engagement of the people to meet the policy as well as their integrity will be one of their best controls against information stolen situations.


1. Pfleeger, Charles P, and Shari L. Pfleeger. Security in Computing, 4th Edition. Upper Saddle River, NJ: Prentice Hall, 2008. Kindle Edition






Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: