Assessing Security Control Effectiveness

Information security is only properly achieved when all of the associated assets such as data centres, offices, servers, laptops and software have been properly risk assessed. Each category of “supporting asset” will attract its own combination of controls from Annex A of the ISO27001 standard, but how can we really understand whether these controls are operating correctly and contributing to the protection of data? Many of these controls are capable of providing large volumes of activity related information, but one area we frequently note as needing improvement is the amount of time and care devoted to checking what this information tells us, and whether follow-up action is necessary.

These days, your premises will more often than not be secured by a combination of access controls, including recorded CCTV or access control mechanisms fitted to doors. Both of these data sources provide valuable information to confirm that the access and actions of your employees, contractors or visitors is in accordance with your organisation’s security policies, although it is estimated that only about half of such systems are subject to periodic or even random checks. Further, insurer surveys note that nearly a quarter of all CCTV systems cannot provide the quality of images that would help to properly identify an individual if needed for a security investigation. Physical security infrastructure produces valuable information that should be regularly reviewed for anomalies.

Technically, organisations are likely to have network protection, firewall logs and system access reports – another set of data that needs your careful management and review if it is to provide any form of useful security control for data. Many companies will only have the resources to look into such information reactively if needed for a security investigation, and this is clearly the wrong time to find that logs are not being recorded properly, time stamps are incorrect, etc. Taking a proactive approach will be more expensive, but provides you with greater visibility in real time of actions that could be undermining your data security. The UK Government’s GPG13 document provides a recognised list of 12 Protective Monitoring Controls (PMC1-12) which illustrate how proactive monitoring should take place – more details can be found at www.gpg13.com.

Even the most common of vulnerabilities has the potential to cause serious and potentially irrecoverable damage to a business. Does your organisation operate appropriate anti-virus and anti-malware software? These too need your regular attention to ensure that they are being regularly updated, and are using the very latest set of virus definitions and malware alerts. Checks should also be in place to confirm that all of your servers, laptops, desktops and mobile devices are being properly protected, and action taken against any user who tampers with or removes such controls.

These are just a few examples of how selected security controls need to be managed in order to provide the best possible protection to your organisation. Simply selecting a control as part of an asset risk assessment is a false economy if you cannot be sure that related records are being reviewed to ensure optimum protection. Customers should have the option to mandate whether evidential records need to be linked to a selected control. This association helps to highlight where issues may exist, and once rectified provides substantial assistance to your external ISO27001 auditor who will be seeking to understand how security controls have been implemented.

Written by: Martin Poole | Head of Security Practice at InfoSaaS Limited

 

Leave a Reply

Your email address will not be published. Required fields are marked *