Thursday, July 24, 2008

The Frequency for Security Report Reviews

Q: How often do you review your security reports? Often, sometimes or never?
Security requires a hands on aproach, monitoring, reviewing and patching. In the case where there is no dedicated security personal onsite, are you reviewing the reports on a weekly basis, (often), monthly, (sometimes), or never? If sometimes or never, why not?

A: ....,
As you know, on a broader picture security reports must be managed.

The frequency for the review (which is a part of security management) can be determined by the security management approach of the operation. The frequency of reviews depends on the risk level of the protected assets.

Calculation of the review frequency can be based on a simple logic: The cost of the review (people/time/other resources etc) should be justified by the cost of risk avoided.
If the cost is right, then perform the reviews as often as possible.

As an example real-time log monitoring, on-site information security team and daily security review of reports make sense for a financial or healthcare operation where lives, hard cash figures determine the risk. On the other side it might be ok to batch process logs and review the reports weekly for a mom & pop hardware store based on the information risk appetite taken.

Other management concerns for security report reviews (besides frequency) are:
1- Who reviews the reports
2- Who approves/signs-off the reviews
3- How is the review process documented
4- How are the reviews’ effectiveness measured
5- How are the reviews are improved

Let me know if you have a specific question.
regards,
- yinal ozkan

No comments: