The information security safeguards that focus on administrative planning, organizing, leading, and controlling, and that are designed by strategic planners and implemented by the organization's security administration are known as administrative safeguards. Administrative safeguards include the following:
- Security policies and procedures: These documents define the organization's security requirements and how they will be met.
- Training and awareness: Employees must be trained on the organization's security policies and procedures, and they must be aware of the risks to information security.
- Incident response plan: This plan outlines how the organization will respond to security incidents.
- Audit and compliance: The organization must regularly audit its security controls to ensure that they are effective.
- Personnel security: The organization must carefully screen and monitor its employees to ensure that they are not a security risk.
- Governance and risk management are also important components of information security. Governance is the set of processes and structures that an organization uses to make decisions about its information security. Risk management is the process of identifying, assessing, and mitigating the risks to information security.
Together, administrative safeguards, governance, and risk management form the foundation of an effective information security program.