ABSTRACT
This chapter focuses on the administrative controls and the data gathering techniques for those specific controls. It introduces many of these administrative safeguards to ensure that the security risk assessment team member is familiar with controls they may encounter during as assessment as well as available safeguards for recommendations to address high risk areas. The insider actions exposing the organization to information security risk can be unintentional or intentional. The security program prevention of social engineering, hacking, and introduction of malware is addressed by clear assignment of roles and responsibilities, appropriate risk analysis, and a review of the security activities. Audit functions include the safeguards of internal audit, third-party review, and security risk assessments. The key to a successful audit function is to ensure that auditors are not involved in the development of what is to be audited, that auditors have access to all records, and that senior management must be formally required to respond to audit findings.
