As our final class in the Security 102 series, you won't be surprised to learn that we're preparing for the big test. Not the kind with answer sheets and number two pencils, but the testing and management of our information security plan to ensure it is providing the protection your company needs.
Validating the Changes
Effective testing and management is designed to validate that changes in security controls do in fact provide the additional benefits they are designed to supply. Periodically, a security control change that appeared beneficial at the design stage doesn't quite operate as expected--often due to a third-party factor that wasn't taken into account. When this occurs, the organization can consider a different approach.
Testing the Environment
Testing the environment after a new control has been implemented is valuable since it not only validates operation of the control, it also should identify any new vulnerability that the control may have unintentionally introduced.
Updating the Plan
Once the newly-applied controls have been validated, the security management program must be updated. With this update the new 'security posture' is captured and compliance with this posture can be measured and maintained. It is key to remember that at each stage of incremental improvement, previous stages must be maintained, otherwise the overall security posture does not improve--it may get worse!
Measuring Compliance and Reporting
A key consideration for the management strategy is not only measurement of compliance with a given security posture, it is reporting on that compliance. Unless great care is taken with reporting, the whole process of security management soon becomes a hammer assaulting users, systems and network managers, and security administrators. As such, the process becomes an antagonistic 'big-brother' process rather than an enabling process encouraging the organization to maintain and, if possible, improve on their security posture.
Fostering Security Awareness
Another key factor associated with the implementation of the security plan is security awareness. Generally, most people have roles and tasks in their jobs that have nothing whatsoever to do with information security--they need to be educated regarding security and then have that knowledge periodically reinforced.
An information security plan must include mechanisms that educate personnel without indoctrinating and stress importance without making employees unnecessarily paranoid. Successful security implementations and management will make the role of protecting information for employees feel like a given, natural behavior, rather than an imposition.
Effective management also publicly stresses information security successes far more than it chastises information security breaches. Enabling people to feel positive and proactive about protecting information is far more effective than continuously berating them for failures. Of course, information security failures should be addressed quickly and effectively, but stressing positive successes often helps the personnel want to correct the failing, rather than being pushed to correct it.
An information security plan is essential for protecting data as a business-critical and valuable company asset. Development, implementation, testing and management of a security plan can be a positive experience when completed in a thoughtful and incremental manner--following basic steps for creation and a gentle approach for adoption. The end result of a more secure computing environment--including a sharper competitive edge for the business--is well worth the effort.