Easy way to Collect Security Process Data

Organizations should collect data about policies and procedures and review it on a regular basis to ensure that the established goals are being met. Additionally, they should consider whether new risks have appeared since the creation of the process that must now be addressed.

• Account management. Every organization should have a defined procedure for maintaining accounts that have access to systems and facilities. This doesn’t just mean documenting the creation of a user account, but can include when that account expires and the logon hours of the account. This should also be tied to facilities access. For example, was an employee given a code or key card to access the building? Are there hours that the access method is also prevented? There should also be separate processes for managing accounts of vendors and other people who might need temporary access.

• Management review and approval. Management plays a key role in ensuring that these processes are distributed to employees, and that they are followed. The likelihood of a process or procedure succeeding without management buy-in is minimal. The teams that are collecting the process data should have the full support of the management team, including periodic reviews and approval of all data collection techniques.

• Key performance and risk indicators. You can associate key performance and risk indicators with the data that is being collected. The risk indicators can be used to measure how risky the process, account, facility access or other action is to the organization. The performance indicators can be used to ensure that a process or procedure is successful and measure how much impact it has on the organization’s day-to-day operations.

• Backup verification data. A strict and rigorous backup procedure is almost useless without verification of the data. Backups should be restored regularly to ensure that the data can be recovered successfully. When using replication, you should also implement integrity checks to ensure that the data was not corrupted during the transfer process.

• Training and awareness. Training and awareness of security policies and procedures are half the battle when implementing or maintaining these policies. This extends beyond the security team that is collecting the data, and can impact every employee or user in an organization. The table below outlines different levels of training that can be used for an organization.

• Awareness
  • Knowledge level                                   The “what” of a policy or procedure
  • Objective                                                Knowledge retention
  • Typical training methods                   Self-paced e-learning, web-based training (WBT), videos
  • Testing method                                    Short quiz after training

• Training                    
  • Knowledge level                                  The “how” of a policy or procedure
  • Objective                                              Ability to complete a task
  • Typical training methods                  Instructor-led training (ILT), demos, hands-on activities
  • Testing method                                   Application-level problem solving

• Education
  • Knowledge level                                 The “why” of a policy or procedure
  • Objective                                             Understanding the big picture
  • Typical training methods                 Seminars and research
  • Testing method                                  Design-level problem solving and architecture exercises

Learn More:

• Training and Solutions