Although looking at individual systems and functions for possible risks is important, so too is taking a broader view. A macro view of the organization identifies how all the pieces fit together.

Most organizations have a security policy created by senior management. It lays out the philosophy of security in the organization and identifies big-picture security goals. Security controls are implemented based on direction from the security policy.

Some of the controls that have a macro view of the organization include:

• Account management controls—These controls ensure that account management is secure. With account management controls, each user is given a separate account, which is disabled if the user leaves, and password management policies are used for the accounts.
• Access controls—Although access controls are applied to individual systems, they are created using a global system. For example, Microsoft domains use Active Directory Domain Services as the basis for assigning permissions and controlling access. Most organizations create an administrative model that defines how to use groups to organize users. Then, access permissions are granted to the groups, instead of individual users. Least privilege is a core principle enforced with access controls.
• Physical access—An attacker’s breaking into a system is just a matter of time if he or she has unrestricted physical access to the system. Therefore, physical access controls are necessary to protect the valuable assets by restricting physical access to them. They can include key locks, cipher locks, proximity cards, and closed-circuit television (CCTV) systems.
• Personnel policies—Personnel policies, such as separation of duties and mandatory vacations, are used to help prevent fraud. These policies aren’t targeted at individuals but rather at positions, such as accounting positions where personnel have access to organizational monies.
• Security awareness and training—Some training is targeted for specific groups, such as managers or administrators, and other training is given to all personnel. Regardless, training and awareness programs can be used to raise the security awareness of all personnel.

Many additional controls are available for review. The most important point here is that an organization’s controls should not be focused solely on individual systems. A sound security program will have a mix of both broad and narrow security controls.