Good morning all…
I’d like to introduce you to this wild new concept… a _MONDAY_ posting from yours truly.
The topical material for this new Monday feature is “How to do a good job of the real job of the information security professional.” AKA, do what you need to be doing rather than what you inevitably end up doing.
For this first column, let’s consider together the MITs (Most Important Tasks) for your upcoming week. This is an idea that I’ve snarfed from several of the current crop of productivity gurus (Merlin Mann, Leo Babauta and others) and it’s made a difference in my world.
This week, I’d like you to consider putting some effort into your compensating controls. You’ve heard me rant about fragile technical preventative controls – and I know that for many of you, fooling about with those technical systems is what you spend your Monday mornings doing. The compensating control that I’d like you to consider for this week is a review of your Policy and Standards Exceptions documentation.
I know – you’re thinking to yourself, “This Myrcurial creep has finally cracked.”
The reality is that when it comes to audit time, having those Policy and Standards Exceptions either not documented, expired, or inadequately documented is going to cause you more of a headache than missing that ICMP sweep from some random cable modem in Iowa.
Recall that for a decent Policy and Standard Exception, you need the following:
– unique name
– inception date
– tracking number/version control
– description of exception required (quote the relevant section)
– any risk mitigations (additional controls)
– expiry date
– evidence of sign off
I’m guessing that you’re missing some (if not all) of those pieces and maybe, just maybe, you’re going to double check your documentation so that you’re not scrambling when audit comes calling.
Feel free to comment – tell me I’m an idiot, tell me what you think is more important for this week, tell me what you think I should be doing that I’m probably not.
Until Friday!
[tags]MITs, Infosec Management, compensating controls, ISO 17799[/tags]
Hi!
For a good P.E.H. process, wouldn’t you also want to report risk (LEFxPLM)?
I probably would… except I find that mathematical representation of risk doesn’t really fly with the rest of the C-suite – they’re much more comfortable with the simplified matrix – Orange Jumpsuit, Lose My House, Rubber Glove Treatment, Look Stupid. I think that I might just have to add a new discussion thread — how to map “Infosec – by the book” to “Infosec – the Yes People” — because there is value in attempting to do a good job of applying metrics to risk analysis, but that value is hard to articulate to the people who pay the bills. Thanks for the comment Alex.