Continued Validation as a Key Element of Any Security Policy
Most competent organizations adopt a base set of security standards for technology they deploy. Over time, though, those standards must be revised to account for new information, new vulnerabilities, etc, as well, the technology components themselves will diverge from the desired security settings.
A critical element of an enterprise security policy is to periodically revalidate the physical technology infrastructure against the current security policy requirements. This implies three things:
- We know about all of the technology components that exist in the enterprise infrastructure
- We know who is responsible for maintaining each component
- We have some scalable mechanism for performing the validation
Providing a feed-back loop from the validation system to an enterprise trouble ticket system will allow the person responsible for a non-compliant component to be notified of the non-compliance, and will allow for a uniform escalation process of unresolved issues.
Highly decentralized organizations may find that centralized enforcement is not a possibility. In those cases, relying on individual business areas to perform their own validations is required. Internal audit function play a vital role in organizations that wish to maintain control and accountability without a central ability to validate policy compliance.
It is also vital to accomodate the situations where compliance is not possible. It should be mandatory to implement some form of mitigating control to reduce the risk to the orgnization caused by the non-compliance. Additionally, requiring secondary controls will reduce the attractiveness of being out of compliance by system owners.
