A new week gives me another opportunity to highlight the next pitfall from my eBook, Security Program Pitfalls and Prescription to Avoid Them. This week, I’d like to highlight “Pitfall #5 – Management Review of the Security Program.”
Your organization should ensure that management reviews of your overall security program are performed at planned intervals, at least semi-annually. This will help to ensure the continued suitability, adequacy, effectiveness, and continual improvement of the security program for your organization.
While there may not be a mandatory list of agenda topics for management reviews, at a minimum, it is strongly recommended to include following:
· Feedback from all interested parties
· Results of independent reviews
· Preventive and mitigating actions
· Security program status
· Security trends
· Security incidents
· Correct Action Plans
· Recommendations from authorities
It is essential to ensure that documentation of management reviews is retained as evidence of the occurrence of reviews. Action items or results of management reviews also need to be documented. This can be accomplished by simply retaining a copy of the agenda, the attendee list, and any notes that are recorded during the review meeting. This evidence can then be used as a control artifact to support future audits, assessments, or examinations.
To learn more about this pitfall, and 99 more, get my eBook: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or, register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.