Staying Fresh

Rebecca Herold has a good post on her blog about keeping your security, privacy, or compliance program fresh. She makes a good analogy between how your program can slowly become ineffective over time due to lack of attention and how running shoes can slowly become less effective over time. I can't relate to that because I bought my new running shoes in April and they haven't had as many miles put on them as hers gets in one day. Try as I may I just can't get into a running frame of mind.

I've seen fist hand how programs start strong and slowly erode or die over time. They don't get the TLC that they need to stay alive. They are put in place to satisfy a audit or a new boss and then they end up in a closet or on a shelf only to be given a passing glance from time to time.

I recently did a review and update of security policies for a company. What they had was between 4 and 8 years old. They had been created (mostly just changed the company name on a template) and filed away. As I looked over them I started asking questions about them. Is this really what is done? Where is the ??? to back this policy up? Where are the ??? that this policy states is happening? Blank Stares and hidden smiles met me. They weren't being followed. They were just there to satisfy a whim.

These documents and programs are living. They are meant to be reviewed regularly, followed consistently and changed as needed. They are not static documents that are just to satisfy an audit. When I create a policy program or a security plan I make sure to write it in such a way that those who are entrusted with it know that it is a living document. I include regular review schedules and then I encourage those who are entrusted with them to go ahead and put reminders in their calendars to review them. I can't make them do it unless they report directly to me, but I can try to make it easy for them to do.

Another area that gets ignored is log review. Most people hate to review logs. Especially if they don't have a SIM, SEM or some other method for automating it. I've done it before. I've had to sift through thousands of entries to try and find the "bad" stuff. It's no fun. Unfortunately it has to be done and you need to be able to prove that you are doing it. If your policy says that you are doing it then the auditors are going to want to see proof. How many times have you or someone you know spent a day or two prior to an audit "falsifying" log reports. Going through and checking off that they were checked when they haven't been looked at in days, weeks or months.

It's important to remember that these things are crucial to the success of your information security program. If you let them get sick or die then your program will do the same. Security Professionals need to follow the policies and those in management need to ensure that they are being followed. Those who are tasked with keeping the policies or program alive need to be proactive in doing so. Don't wait until the last minute and try emergency CPR. If you will schedule a little time weekly or monthly to check on them then they will stay healthy and your program will be more successful.