This week, I’ll be posting two blog posts regarding the pitfalls from my eBook, Security Program Pitfalls and Prescription to Avoid Them. The first pitfall I’m highlighting this week is “Pitfall #7 – Continuous Monitoring.” The second will be posted later this week, so stay tuned.
Establishing a security program is not a “once-and-done” exercise. Continuous monitoring is necessary to avoid the potential pitfalls associated with implementing an effective security program and then ignoring it until the next assessment, exam, or audit occurs. This is neither an effective way to reduce risks for an organization, nor achieve and maintain compliance with required controls. Continuous monitoring should be used to change the perception of an organization’s security program from a “box checking exercise” to a commitment to implement policies, plans, procedures, controls, accountability, and behavior to improve the overall security posture, in perpetuity.
All security program controls adopted by your organization need to be assessed at least annually. This is necessary to determine the extent to which controls are implemented, the controls that are operating effectively, and what controls present an opportunity for improvement. This does not mean that all security controls need to be internally assessed at the same time.
Your organization should support a continuous monitoring strategy by developing and implementing a continuous monitoring plan, which should describe the scope and frequency of continuous monitoring activities. The plan should also identify the expected artifacts to be captured from these activities.
Your organization’s plan for continuous monitoring does not need to be overly complicated. Identifying the personnel responsible for the continuous monitoring of controls that are in place today is a good starting point. After an initial plan is in place, making incremental improvements over time is appropriate and encouraged.
Many organizations have found great success in dividing the continuous monitoring of controls into manageable segments. For example, if your security program contains 150 controls, addressing 12-13 controls each month is much easier to manage than addressing all 150 controls in a single two to four-week period. An increase in the number of controls in place for your organization will increase the number of monthly tasks, but it will remain manageable and preclude the need for heroic efforts to perform continuous monitoring.
To learn more about this pitfall, and 99 more, get my eBook: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or, register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.