Employee training, risk management, and data handling procedures and policies could be characterized as administrative security measures. Administrative security measures are the policies, procedures, standards, guidelines, and practices that define and govern the roles, responsibilities, and actions of the personnel and the organization in relation to the security of the information systems and the data. Administrative security measures could be characterized as administrative security measures, because they can:
Establish and communicate the security objectives, requirements, and expectations of the organization and the personnel, and provide the direction and the guidance for achieving and maintaining them.
Educate and train the personnel on the security awareness, skills, and behaviors, and evaluate and monitor their performance and compliance with the security policies and procedures.
Identify and assess the risks and the threats to the information systems and the data, and implement and review the controls and the countermeasures to mitigate and manage them.
The other options are not the types of security measures that employee training, risk management, and data handling procedures and policies could be characterized as. Non-essential security measures are the security measures that are not required or necessary for the protection of the information systems and the data, and that may be removed or reduced without compromising the security objectives or requirements. Non-essential security measures are not the type of security measures that employee training, risk management, and data handling procedures and policies could be characterized as, because they are essential and necessary for the protection of the information systems and the data, and they cannot be removed or reduced without compromising the security objectives or requirements. Management security measures are the security measures that are implemented and enforced by the management or the leadership of the organization, and that are related to the planning, organizing, directing, and controlling of the security activities and resources. Management security measures are not the type of security measures that employee training, risk management, and data handling procedures and policies could be characterized as, because they are not implemented and enforced by the management or the leadership of the organization, but rather by the personnel and the organization themselves. Preventive security measures are the security measures that are designed and deployed to prevent or deter the occurrence or the impact of the security incidents or the attacks, such as the encryption, the authentication, or the firewall. Preventive security measures are not the type of security measures that employee training, risk management, and data handling procedures and policies could be characterized as, because they are not designed and deployed to prevent or deter the occurrence or the impact of the security incidents or the attacks, but rather to define and govern the roles, responsibilities, and actions of the personnel and the organization in relation to the security of the information systems and the data. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, page 19. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1: Security and Risk Management, page 19.
