Information Security Process: Repeat
August 30, 2013
Information Security like all relationships requires time and effort. I use a security management system which works well for the companies I have secured and maintained. Classify, Secure, Audit, Educate, Repeat. Not a memorable acronym, but a very valuable path to cycle through. Each iteration has made my companies better prepared for the inevitable attacks and recovery easier and faster.
Repeat, yes, more than just to keep you as a security professional relevant to your employer, but also, repeat at sporadic intervals.
Perhaps this is the most important step, but all of the previous steps should be repeated.
Classification: Revisit your information classification document at least annually to verify that types of information can be added or removed. I have found that the levels of security and access rarely change, more likely that some services have been added or removed in the past year, so the information associated with those products needs to be added to the scope of your security planning or removed.
Securing Devices: These documents should be revisited more often, a scheduled review should be done at least every six months, but they should also be revisited every time a new vulnerability is released for the various systems or networks to verify that adequate controls are in place to mitigate a loss and that security is still at the same levels before the vulnerability was known.
Auditing procedures are generally an ongoing activity, but the guidelines and tools should be reviewed at least annually to see if there are better ways to make the job of auditing easier.
Education for each employee should be part of the on-boarding process, with static links pointing them to useful information specific to their job and a time should e set aside to visit each team at least once a year to see if they have any new issues they wish to address. Short fifteen minute meetings do not impact productivity and longer detailed questions can be answered outside of the meeting scope.
I hope this short series of articles was of use to you, these are some general principles that I use every day as an information security professional.
Perhaps this is the most important step, but all of the previous steps should be repeated.
Classification: Revisit your information classification document at least annually to verify that types of information can be added or removed. I have found that the levels of security and access rarely change, more likely that some services have been added or removed in the past year, so the information associated with those products needs to be added to the scope of your security planning or removed.
Securing Devices: These documents should be revisited more often, a scheduled review should be done at least every six months, but they should also be revisited every time a new vulnerability is released for the various systems or networks to verify that adequate controls are in place to mitigate a loss and that security is still at the same levels before the vulnerability was known.
Auditing procedures are generally an ongoing activity, but the guidelines and tools should be reviewed at least annually to see if there are better ways to make the job of auditing easier.
Education for each employee should be part of the on-boarding process, with static links pointing them to useful information specific to their job and a time should e set aside to visit each team at least once a year to see if they have any new issues they wish to address. Short fifteen minute meetings do not impact productivity and longer detailed questions can be answered outside of the meeting scope.
I hope this short series of articles was of use to you, these are some general principles that I use every day as an information security professional.
.wdnii.
© 2013 Norris Proprietaries Inc.