This week, I’ll be posting two blog posts regarding the pitfalls from my eBook, Security Program Pitfalls and Prescription to Avoid Them. The first pitfall I’m highlighting this week is “Pitfall #7 – Continuous Monitoring.” The second will be posted later this week, so stay tuned.
All security program controls adopted by your organization need to be assessed at least annually. This is necessary to determine the extent to which controls are implemented, the controls that are operating effectively, and what controls present an opportunity for improvement. This does not mean that all security controls need to be internally assessed at the same time.
Your organization should support a continuous monitoring strategy by developing and implementing a continuous monitoring plan, which should describe the scope and frequency of continuous monitoring activities. The plan should also identify the expected artifacts to be captured from these activities.
Your organization’s plan for continuous monitoring does not need to be overly complicated. Identifying the personnel responsible for the continuous monitoring of controls that are in place today is a good starting point. After an initial plan is in place, making incremental improvements over time is appropriate and encouraged.
Many organizations have found great success in dividing the continuous monitoring of controls into manageable segments. For example, if your security program contains 150 controls, addressing 12-13 controls each month is much easier to manage than addressing all 150 controls in a single two to four-week period. An increase in the number of controls in place for your organization will increase the number of monthly tasks, but it will remain manageable and preclude the need for heroic efforts to perform continuous monitoring.
To learn more about this pitfall, and 99 more, get my eBook: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or, register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.