Measuring and testing your Information Security – Part 2

In Part 1 of this blog series, Conosco Information Security Manager explained the importance of continual cybersecurity improvement through measuring and testing. In Part 2, he details the various aspects and controls of internal cybersecurity measuring and monitoring.

Internal measuring and testing

Internal measuring and testing of an organisation’s policies and controls should be done on a continuous basis. The organisation should define and document key metrics that will be reported to management at least 6 monthly, or more frequently in the case of a new system or where problems have been identified. These metrics should be relevant to each organisation, and be selected to present a picture of how the current policies and controls are operating. It is no good defining a metric that you report to management every quarter, that does not actually indicate the health and effectiveness of current controls. This will only lead to a false sense of security, while the information security of the organisation continues to become less effective. These metrics should also be easy to monitor and collect, not requiring hours of investigation and reporting, otherwise they will most likely not be adhered to in time.  An internal resource should be assigned the responsibility to collect these metrics and report them to management.

Two additional methods of periodic internal testing of security controls are internal audits and vulnerability scans.

Most organisations define an internal audit programme to allow for at least annual auditing of the current policies and controls. These audits can be conducted by internal staff, or by a consultant. The consultant option is attractive for many smaller businesses, or businesses that are new to conducting internal audits, as it allows them to get their internal audits conducted while bringing the skill level of their nominated internal audit resources up to the required level. For organisations that have internal staff capable of conducting audits, this allows the organisation to retain more control and customization over the audit processes, making them more applicable to the organisation.

Internal vulnerability scanning allows an organisation to passively test its technical security controls, as well as whether certain policies such as patch management are being adhered to. This scanning can be done by the internal IT department if present, or arranged through an external provider. These tests are not as invasive or expensive as penetration testing, and thus can be done as regularly as the organisation requires, although every 6 months at least is a good place to start. They provide a good means of monitoring technical security controls, and the general technical security of the organisation.

Look out for Part 3 of this blog series, which will detail aspects of external measuring and testing.

In the meantime, if you have any questions about the information security of your business, do get in touch with one of the experts at the Conosco Security Division: