Procedural controls refer to the procedures performed by individuals. They are often detailed in written documents that an organization uses for security. Procedural controls are directives from senior management on how to address security within the organization. Previous versions of NIST SP 800-53 referred to these controls as administrative controls.
The following sections provide examples of some of the common procedural controls in these categories:
- Policies and procedures
- Security plans
- Insurance and bonding
- Background and financial checks
- Data loss prevention program
- Education, training, and awareness
- Rules of behavior
- Software testing
Policies and procedures are written documents ...