
170 ◾ The Security Risk Assessment Handbook
© 2011 by Taylor & Francis Group, LLC
Table6.2 RIIOT Method of Data Gathering for Administrative Controls
(Continued)
Controls
Review
Documents
Interview
Key
Personnel
Inspect
Controls
Observe
Behavior
Test
Controls
Internal audit × ×
Third-party
review
× ×
Security risk
assessment
× ×
Security
awareness
× ×
Job training × × ×
Policy and
procedures
× × ×
Double key
data entry
× × ×
Two-man
control
× × ×
Criticality
analysis
× ×
Information
labeling
× × × × ×
Review of
access controls
× × ×
Media
destruction
× × × ×
Account
creation
procedures
× × × ×
Account
termination
procedures
× × ×
NTK × × ×
Asset inventory × × ×