We have reached the final post in this blog series and covered some of the main controls that should be present in a good security programme. As you will have seen there’s nothing overly complex or ground breaking involved, just a good pragmatic approach with sensible mitigations.
In the words of the famous song, “we’ve only just begun”. This is just the starting point of your security programme. If you’ve implemented some of the controls discussed you will have cracked the hardest part by getting started. The next step is to continuously review and make improvements, which the Plan Do Check Act cycle from ISO27001 can help with.
Another favourite standard of mine is ISO27001 and here is its Plan Do Check Act cycle:
- Plan
- Use the controls document deciding what is effective and create a programme of work to roll them out
- Do
- Get implementing, this doesn’t necessarily mean spending on new tools or technology. Make an investment in improving your process and getting the value out of existing tools
- Check
- My personal favourite, check that controls are working, get alerts, get reports, get a warm feeling that your hard work is paying off and your controls are actively working or that you are finding vulnerabilities to fix.
- Act
- And the control with the biggest impact, take some action, improve fix and remediate.
An additional word on alerting. Make sure alerts are actionable, so only try and report on things you are able to take a direct action to resolve. This keeps unnecessary noise to a minimum and keeps the process nice and lean. Join our mailing list for our forthcoming post on LEAN Security.
As discussed previously your simple and efficient Risk management process should be able to track all the inputs and their improvements. Consider creating a simple monthly dashboard of improvements or stats from AV, patching, proxy blocks, Vulnerability alerts etc. Graph this month by month to ensure you stay on track.
Now you have embedded the whole process into your business, ensure you are weekly monthly, bi-annually checking fixing, implementing and repeating the whole process. Make the process fit your business and make it BAU and you’ll be set for continuous improvements in your control environment.