Independent Reviews of the Security Program
With the Independence Day holiday earlier this week, the pitfall I’m highlighting here from my eBook, Security Program Pitfalls and Prescription to Avoid Them, is very appropriate – “Pitfall #6 – Independent Review of the Security Program.”
Independent reviews are intended to provide an unbiased assessment of an organization’s security program. Independent reviews highlight control effectiveness, identify control gaps, and present opportunities for program improvement. Independent reviews look at an organization’s security program through a different lens, without assumptions that are frequently made by internal personnel. These internal assumptions can lead to security program or compliance gaps for any organization, resulting in unnecessary risks if the assumptions about controls, or how effectively they are operating, are not correct.
Your organization’s approach to managing your security program and its overall implementation (i.e., controls, policies, plans, procedures, monitoring, management, etc.) should be independently reviewed at planned intervals. This should occur at least annually. It’s also recommended to perform an independent review after any significant or material changes are made to your organization’s security program or technology environment. This helps to ensure changes to your adopted controls or technology environment are addressed in a current assessment report.
Independent reviews should include an assessment of how well your organization is adhering to your defined security program control requirements. These reviews should determine whether the tests and validation methods used internally to verify control compliance are sufficient to validate the effectiveness of your security program controls to an external entity (e.g., auditor, examiner, or regulatory entity). Also, having an independent assessment report will likely support multiple artifacts or evidence requests from external auditors, examiners, or regulators.
If reviews are performed by internal personnel, they should be executed by personnel that do not participate in any of the operations or functions of the area being reviewed. A preferred option may be to have the reviews completed by an external service provider to ensure independence is maintained.