ELI5: What are Administrative Controls?
These are the written rules and training — like a school handbook that says “no running in the halls.” They tell people how to behave safely, rather than using a gadget or a lock to stop them.
Definition
Administrative controls are management-level security measures that govern how people behave within an organization. They include security policies, standard operating procedures, security awareness training, background checks, job rotation, and separation of duties. Unlike technical or physical controls, administrative controls primarily influence human behavior and organizational processes to reduce security risk.
Key Details
- Examples include: Acceptable Use Policies (AUP), incident response plans, background checks, security awareness training, and change management procedures.
- Administrative controls are often the foundation upon which technical and physical controls are justified and implemented.
- Job rotation and mandatory vacation are administrative controls that detect fraud by ensuring no single person can sustain a cover-up indefinitely.
- Separation of duties (a key administrative control) requires multiple people to complete critical transactions.
- On the exam, administrative controls are also called managerial controls.
Connections
- Parent: defense-in-depth — one of three control types layered in a defense-in-depth strategy
- See also: technical-controls, physical-controls