How to Prevent Data Breaches Using Administrative Controls
This article is part of our series on how to prevent data security breaches. Read more about how you can use physical safeguards and technical safeguards to mitigate your business risk.
Preventing data breaches requires a combination of approaches to manage people, processes, and technologies to implement robust security controls. This article addresses the security controls that can help you minimize the risk of security breaches. It is impossible to prevent all data breaches, and it would be cost-prohibitive to try. Nonetheless, each organization will need to conduct its own risk management process to settle on a balance between implementing controls to minimize the risk of breaches and the time, effort, and money needed to implement such controls.
Administrative safeguards are the non-technical, “soft” measures that management establishes regarding acceptable employee conduct, personnel procedures, and correct technology usage within the enterprise.
For context, this article refers to a business covered by a security policy as the “Covered Entity.”
Risk Analysis
Risk analysis consists of four components:
Asset identification and valuation
Threat identification
Vulnerability identification
Risk identification
Asset Identification and Valuation
The term “assets” refers to items of value to the Covered Entity, which includes (among other things) computer hardware, mobile devices, software, records, and other information. Asset identification and valuation involve listing assets to be considered within the scope of the risk assessment. Once identified, the Covered Entity needs to assign the appropriate value to each asset, which can be monetary or simply a qualitative measure of the asset’s value (e.g., high, medium, or low).
Threat Identification
A threat is a negative event that has the potential to damage an asset that is vulnerable to such a threat. Information security threats compromise the confidentiality, integrity, or availability of information. Threats may be intentional, such as a hacker attempting to break into a network. Additionally, threats may also be inadvertent, such as the mistyping of an e-mail address, which may be attributable to natural human carelessness or fatigue. Threats may extend beyond human conduct, whether intentional or not, to natural or physical phenomena. For instance, hurricanes and earthquakes pose threats to the availability of information when they strike data centers and the equipment operating in them.
Vulnerability Identification
A vulnerability is a weakness in an asset that allows a threat to damage that asset. This weakness can stem from the lack of a control designed to protect the asset, a weakness in the control, or in a characteristic of the asset itself. Threats have the potential of exploiting these weaknesses to damage the confidentiality, integrity, or availability of the asset. Because vulnerabilities only exist in the context of a threat, the Covered Entity must carefully consider which threats are relevant to them when assessing the vulnerability of an asset to a particular threat.
Risk Identification
The risk identification step analyzes risk based on the likelihood that a threat will exploit a vulnerability and the impact that event would have on the vulnerable asset. The Covered Entity can use existing questionnaires, interviews with experts, past history and other means to determine the risks the organization may encounter. The Covered Entity should document potential risk elements as part of its risk management process. High risks are those involving threats that occur frequently and/or exploit vulnerabilities of high-value assets. Low risks are those where a minor vulnerability may expose a low-value asset to unlikely or infrequent compromise or loss. Even when the risk identification step is completed, there is a remaining “unidentified risk.”
Risk Management
Risk Management describes the continuous, iterative process of:
Analyzing changes to the Covered Entity’s environment, including such factors as: (i) implementation of new technology and associated vulnerabilities; (ii) developments in new threat technology; (iii) changes to organizational structure and business goals; and (iv) changes in regulations
Measuring and prioritizing risks and corresponding mitigation measures and incorporating them into a Risk Management Plan
Implementing those mitigation measures defined in the Risk Management Plan
The Risk Management Plan should address how risk is to be managed to an acceptable level. Risks may be prioritized on the basis of the degree of risk, the magnitude of harm that a threat could cause, the cost to mitigate a vulnerability, business goals and critical needs, and expected effectiveness of mitigation measures.
Security Management Function
A Covered Entity should have a person in charge of the information security function at the company. For purposes of accountability, that one person should be accountable to senior management and ultimately the board of directors or equivalent. If the Covered Entity does not have such a person, then the security function is scattered, multiple people may attempt to shift responsibility among themselves, and critical security tasks may fall through the cracks. Frequently, management assigns security oversight in a company to a Chief Information Security Officer.
Hiring, Supervising, Terminating Workers, Single-user Accounts, and Accountability
People are the weakest link in any security program. To address this vulnerability, the Covered Entity must institute policies, procedures, and standards for ensuring that the security risk of the workforce itself is managed. Those workers without the need to access should not be given access rights, and workers without explicit access rights should be denied access to security-sensitive information. To comply with these administrative safeguards, the Covered Entity, through administrative procedures, should implement the following three procedures:
Authorization and/or supervision: granting access privileges and supervising workers’ access to security-sensitive information
Workforce clearance procedure: managing the hiring and HR policies of the Covered Entity to ensure that it fills roles with trustworthy and competent personnel
Termination procedures: revoking access privileges and obtaining the return of devices, media, and security-sensitive information
Access Management
These administrative procedures govern how Covered Entities grant access privileges for applications, workstations, and security-sensitive information to authorized people in the organization. When determining who in the organization should access systems, programs, databases, or other intermediaries to security-sensitive information, management should consider policies that limit access to the minimum number of people and the minimum extent necessary for employees to perform their job. Granting privileges that exceed the minimum required for proper job performance can add risk to the security and privacy of sensitive information.
Security Awareness and Training
People cannot perform their duties securely unless they are familiar with the entity’s security policies and procedures. Awareness allows employees to grasp the importance of security and its role in protecting privacy. Training focuses on how to use the security features and maintain a secure information-processing environment.
Reminders
Training and awareness are continuous, not one-time events. The Covered Entity must have an ongoing, periodic security awareness and training program. Its goal should be to keep staff updated on the latest risks and threats the system is facing, as well as any changes in the Covered Entity’s security programs.
Malware/Social Engineering
The organization must have a policy and procedure on how it will protect itself from malicious software and phishing attacks. Malicious software can be any code that affects the confidentiality, integrity, and availability of security-sensitive information. Examples of malicious software include viruses, worms, and Trojan Horses. Most recently, companies have been victimized by numerous “ransomware” attacks in which malicious software encrypts a company’s data and attackers demand a ransom to decrypt the information.
The software can enter the environment from many sources including email, USB drives and other media, employee-installed software, and websites. Phishing attacks involve sending messages to people to get them to sign on to phony sites and disclose their login credentials, which can be harvested and used for impersonation, identity theft, and other malicious purposes.
Log-in Monitoring
The Covered Entity should have appropriate procedures for monitoring attempts to log into systems or applications that contain or can access security-sensitive information and for reporting anomalous events. Examples of these events include:
Unusual times for a workstation to be active or logged in — such as well after business hours or during an employee's off time — which may indicate an employee may be trying to get protected information outside of the scrutiny of his/her supervisor, or an attacker may be attempting to gain unauthorized access.
Unusually high numbers of failed login attempts — which might indicate that an attacker is trying to log in, does not know the password but is attempting to guess it.
Password/Credential Management
Covered Entities can train their personnel to choose and maintain secure passwords used for access control to systems and information. Passwords may have security standards themselves such as:
Minimum length.
Complexity (e.g., required numeric and non-alphabetical characters, lower- and upper-case letters, etc.).
Difficulty of guessing (e.g., avoidance of dictionary words, maiden names, pets’ names, spouse’s name, etc.).
Minimum and maximum usage time dictating when they must be changed.
Password management and password confidentiality policies and procedures directly affect the security of the accessed system or application.
If the Covered Entity uses authentication methods other than passwords, such as smart cards or other hardware tokens, it should have policies and procedures for issuing, managing, and revoking credentials associated with such devices.
Incident Response and Handling
The Covered Entity should train all personnel to be aware of events that may show a security incident took place. It should also establish mechanisms and procedures for reporting such incidents as potential security incidents and procedures for investigating and responding to such incidents.
As a response to incidents, Covered Entities must take steps to mitigate the effect of incidents. Mitigation may take the form of closing a vulnerability that caused the incident, retrieving information that was lost or misappropriated, implementing a new security safeguard, or strengthening an existing safeguard.
In any event, Covered Entities should document incident reporting and handling to make a record of what happened, assist in managing future efforts to respond to the incident, and facilitate remedial actions to prevent similar incidents in the future.
Backup, Disaster Recovery, and Business Continuity
Data backup planning and execution involve more than occasionally making a copy of security-sensitive information and storing it somewhere. Backup planning and implementation should be a formal process that includes planning for:
Backup frequency and maximum allowable data loss: The backup frequency (e.g., once per week, once per day, once per hour) and the location of the backup media determine the maximum allowable data loss (the amount of data that wasn’t backed up, but now due to the emergency or other incidents, is not retrievable)
Maximum time to restore: This metric determines how long it will take to move the backup copy into service. Different methods of storage – tape, optical disk, etc. – require different amounts of time to restore
Backups need the same security protections as information receives in its primary (production) systems for normal use. Backup policies and procedures must be subject to the same management controls as the production services.
Assessment
No policy or procedure lasts forever. Management should ensure that policies and procedures are kept current with prevailing security threats, information system vulnerabilities, and security and privacy risks. Management should identify the policy and procedure evaluation frequency (such as once per year, etc.) and document it in the Covered Entity’s security policies and procedures. Covered Entities need to maintain version control of all policies and procedures. All personnel and advisors should be working with the most recent version of a policy or procedure.
Third-Party Supervision
Today, outsourcers and vendors perform many key roles for Covered Entities. When performing these functions, they will likely have access to security-sensitive information. Covered Entities should put into place appropriate agreements to require that third-party service providers protect the security of such information. Agreements should identify the information that needs to be protected, require assurances of security, contain a mechanism to assess compliance, require notification if a security breach occurs, and impose consequences in the event of a breach.