Pitfall #5 of 100: Management Reviews of the Security Program
Updated: Jul 12
A new week gives me another opportunity to highlight the next pitfall from my eBook, Security Program Pitfalls and Prescription to Avoid Them. This week, I’d like to highlight “Pitfall #5 – Management Review of the Security Program.”
Organizations cannot manage what they do not measure – and in this case, also review. Regular management reviews of an organization’s security program need to be performed to provide insight into the effectiveness of the program controls that have been implemented. These reviews will likely identify opportunities for program improvement. An organization may fall victim to a false sense of security without routine internal management reviews of the security program that has been implemented to protect information, prevent incident or breaches, and meet regulatory control requirements.
Your organization should ensure that management reviews of your overall security program are performed at planned intervals, at least semi-annually. This will help to ensure the continued suitability, adequacy, effectiveness, and continual improvement of the security program for your organization.
While there may not be a mandatory list of agenda topics for management reviews, at a minimum, it is strongly recommended to include following:
· Feedback from all interested parties
· Results of independent reviews
· Preventive and mitigating actions
· Security program status
· Security trends
· Security incidents
· Correct Action Plans
· Recommendations from authorities
It is essential to ensure that documentation of management reviews is retained as evidence of the occurrence of reviews. Action items or results of management reviews also need to be documented. This can be accomplished by simply retaining a copy of the agenda, the attendee list, and any notes that are recorded during the review meeting. This evidence can then be used as a control artifact to support future audits, assessments, or examinations.
To learn more about this pitfall, and 99 more, get my eBook: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or, register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.