Implementing information security policies and controls is a vital first step to enhancing the security of your information and your business as a whole. However, this is just the first step on a journey of continual improvement.
The importance of continual improvement through measuring and testing
When a policy is written, or a control is selected and implemented, they are designed to meet a point-in-time need. This need should be based on the vulnerabilities that the business has identified during a risk assessment process. This leads to two potential issues:
- Change over time
- Missed gaps
The nature of risks and the business operations that lead to risk is that they change over time. New risks arise, and currently identified risks become more or less important. This means that the policies and controls implemented last year may no longer be valid or adequate this year. Changes in legislation and compliance requirements, specifically from new contracts, are a good example of this.
It is also possible that a business has not identified an existing risk or gap, or that the control they have implemented is not sufficiently addressing the risk.
The best way to address both of these situations is to measure and monitor your policies and controls. This allows an organisation to ensure that its information is truly protected against risks, and also provides confidence to clients that the organisation is serious about IT security and protecting their information.
Measuring and monitoring your Information Security
Any control implemented by the business to address a risk, should be measured for effectiveness. After all, you cannot manage what you do not measure. It is often easy to implement something and forget about it, assuming that it will work as intended. In the rapidly changing security landscape, this is simply not possible if you want to secure your business. The business should document a means of measuring their Information Security controls and processes, and reporting these measurements to Management in a meaningful way. This is especially important, and often required, for businesses that have any form of Information Security Management System in place, such as ISO27001. This also allows the business to identify trends and continually improve their controls, which is necessary to keep up with rapidly evolving Information Security threats.
Now that you have an understanding of the importance of continual monitoring and measuring, the next two blog posts in this series will cover the two main categories of measurement and monitoring – internal and external policy controls.
In the meantime, if you have any questions about the information security of your business, do get in touch with one of the experts at the Conosco Security Division: securitydivision@conosco.com
