The IT Law Wiki

Management controls

31,933pages on
this wiki

Definitions Edit

Management controls are

security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.[1]
[s]ecurity controls focused on managing organizational risk and information system security and devising sufficient countermeasures or safeguards to mitigate risk to acceptable levels. Management control families include risk assessment, security planning, system and services acquisition, and security assessment.[2]

Overview Edit

Management controls are the mechanisms and techniques — administrative, procedural, and technical — that are instituted to implement a security policy. Some management controls are explicitly concerned with protecting information and information systems, but the concept of management controls includes much more than a computer's specific role in enforcing security. Note that management controls not only are used by managers, but also may be exercised by users. An effective program of management controls is needed to cover all aspects of information security, including physical security, classification of information, the means of recovering from breaches of security, and above all training to instill awareness and acceptance by people.[3]

References Edit

  1. NIST, FIPS 200.
  2. Tax Information Security Guidelines For Federal, State and Local Agencies, at 154.
  3. Computers at Risk: Safe Computing in the Information Age, at 50.

Around Wikia's network

Random Wiki