CHAPTER 7: CONTROLS – Managing Information Risk: A Director's Guide


The full range of controls possible are beyond the scope of this pocket guide (there’s an exhaustive list in NIST SP 800-30), but should include technical, management and operational controls. Implemented correctly, they can prevent or at least deter threat source damage to your company’s business practices and reputation.

Software and hardware based controls can protect against outside hackers, but can also be used to secure the internal systems from staff by insisting that files downloaded to removable storage are encrypted, or by blocking unauthorised personnel from certain files. They can both prevent and detect security violation, either internal or external, through a combination of authentication and good housekeeping procedures.

However, directors should ensure that controls aren’t so tight that they restrict staff from doing their jobs effectively, or that valuable company data that could provide a competitive edge is left wallowing in a locked computer when it could be exploited to market to new customers.

For example, healthcare and public sector professionals are often unable to quickly and accurately locate the data they need because of IT directors’ fears over data security. Information risk management software provider Recommind’s research found that 94% of healthcare IT directors and 73% of public sector institutions cite data security fears as a key concern when providing employees with the information required for their day-to-day jobs.

That said, certain functions of risk mitigation, such as an uninterruptable power supply to protect against power failure have few negative impacts other than cost.