Good morning all…
I’d like to introduce you to this wild new concept… a _MONDAY_ posting from yours truly.
The topical material for this new Monday feature is “How to do a good job of the real job of the information security professional.” AKA, do what you need to be doing rather than what you inevitably end up doing.
For this first column, let’s consider together the MITs (Most Important Tasks) for your upcoming week. This is an idea that I’ve snarfed from several of the current crop of productivity gurus (Merlin Mann, Leo Babauta and others) and it’s made a difference in my world.
This week, I’d like you to consider putting some effort into your compensating controls. You’ve heard me rant about fragile technical preventative controls – and I know that for many of you, fooling about with those technical systems is what you spend your Monday mornings doing. The compensating control that I’d like you to consider for this week is a review of your Policy and Standards Exceptions documentation.
I know – you’re thinking to yourself, “This Myrcurial creep has finally cracked.”
The reality is that when it comes to audit time, having those Policy and Standards Exceptions either not documented, expired, or inadequately documented is going to cause you more of a headache than missing that ICMP sweep from some random cable modem in Iowa.
Recall that for a decent Policy and Standard Exception, you need the following:
– unique name
– inception date
– tracking number/version control
– description of exception required (quote the relevant section)
– any risk mitigations (additional controls)
– expiry date
– evidence of sign off
I’m guessing that you’re missing some (if not all) of those pieces and maybe, just maybe, you’re going to double check your documentation so that you’re not scrambling when audit comes calling.
Feel free to comment – tell me I’m an idiot, tell me what you think is more important for this week, tell me what you think I should be doing that I’m probably not.
Until Friday!
[tags]MITs, Infosec Management, compensating controls, ISO 17799[/tags]