Organizations should collect data about policies and procedures and review it on a regular basis to ensure that the
established goals are being met. Additionally, they should consider whether new risks have appeared since the creation of the process that must now be addressed.
- Account management. Every organization should have a defined procedure for maintaining accounts that have access to systems and facilities. This doesn’t just mean documenting the creation of a user account, but can include when that account expires and the logon hours of the account. This should also be tied to facilities access. For example, was an employee given a code or key card to access the building? Are there hours that the access method is also prevented? There should also be separate processes for managing accounts of vendors and other people who might need temporary access.
- Management review and approval. Management plays a key role in ensuring that these processes are distributed to employees, and that they are followed. The likelihood of a process or procedure succeeding without management buy-in is minimal. The teams that are collecting the process data should have the full support of the management team, including periodic reviews and approval of all data collection techniques.
- Key performance and risk indicators. You can associate key performance and risk indicators with the data that is being collected. The risk indicators can be used to measure how risky the process, account, facility access or other action is to the organization. The performance indicators can be used to ensure that a process or procedure is successful and measure how much impact it has on the organization’s day-to-day operations.
- Backup verification data. A strict and rigorous backup procedure is almost useless without verification of the data. Backups should be restored regularly to ensure that the data can be recovered successfully. When using replication, you should also implement integrity checks to ensure that the data was not corrupted during the transfer process.
- Training and awareness. Training and awareness of security policies and procedures are half the battle when implementing or maintaining these policies. This extends beyond the security team that is collecting the data, and can impact every employee or user in an organization. The table below outlines different levels of training that can be used for an organization.
- Disaster recovery (DR) and business continuity (BC). Two areas that must be heavily documented are disaster recovery and business continuity. Because these processes are infrequently used, the documentation plays a key role helping teams understand what to do and when to do it. As part of your security assessment and testing, you should review DR and BC documentation to ensure it is complete and represents a disaster from beginning to end. The procedures should adhere to the company’s established security policies and answer questions such as, how do administrators obtain system account passwords during a DR scenario? If some sensitive information is required during a DR or BC tasks, you need to ensure this information is both secure and accessible to those who need it.