With the Independence Day holiday earlier this week, the pitfall I’m highlighting here from my eBook, Security Program Pitfalls and Prescription to Avoid Them, is very appropriate – “Pitfall #6 – Independent Review of the Security Program.”
Your organization’s approach to managing your security program and its overall implementation (i.e., controls, policies, plans, procedures, monitoring, management, etc.) should be independently reviewed at planned intervals. This should occur at least annually. It’s also recommended to perform an independent review after any significant or material changes are made to your organization’s security program or technology environment. This helps to ensure changes to your adopted controls or technology environment are addressed in a current assessment report.
Independent reviews should include an assessment of how well your organization is adhering to your defined security program control requirements. These reviews should determine whether the tests and validation methods used internally to verify control compliance are sufficient to validate the effectiveness of your security program controls to an external entity (e.g., auditor, examiner, or regulatory entity). Also, having an independent assessment report will likely support multiple artifacts or evidence requests from external auditors, examiners, or regulators.
If reviews are performed by internal personnel, they should be executed by personnel that do not participate in any of the operations or functions of the area being reviewed. A preferred option may be to have the reviews completed by an external service provider to ensure independence is maintained.