Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Trust But Verify - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Trust But Verify

Be intentional about how you spend your time. I believe that every person can incrementally improve their security program by being intentional about how they spend their time. One method is to be intentional about checking several items for compliance each and every month. While not intended to replace the value of an auditor, this approach can generate incremental value from the overall compliance process. If you have the requirement to be in compliance with PCI, you are in luck! You could easily create a table that pairs one of the 12 categories with one of the 12 months in a calendar year. Inside each month, you could list several items that are important to verify. When printed out and kept nearby, it can serve as a reminder to be diligent about tracking progress over time. Compare this table year over year and look for trends that will help identify the sometimes small areas to focus on that can make a big impact.
 
I have used this approach to expect more out of myself and to set the bar just a little bit higher. I found success in showing this matrix to outside auditors and received positive feedback. There was nothing magic about this table, it just forced me to be intentional each and every month. Using this approach, unexpected “compliance drift” can be identified and remediated on a much more timely basis. This approach can be used inside several of the regulatory compliance requirements. If you do not have one, ask friends and colleagues who do to learn what they find beneficial in their respective environments. As always, a great place to start is with the 20 Security Controls.
 
Can you make it easier on yourself to do the right thing by being intentional? It believe it is absolutely possible to leverage systems like this to make it easier to do the right thing.
 
What systems do you use to force you to be intentional? Please use the comments section to share what works for you.
 
Russell Eubanks
@russelleubanks
I will be teaching next: Security Strategic Planning, Policy, and Leadership - SANS Rocky Mountain 2019

Russell

97 Posts
ISC Handler
Getting some great comments on this topic. A reader just wrote in -

“I like the term "intentional" because that is what was done. Security does not happen by a lucky accident but by focused intent. It takes more time to set up initially but it really worked well for me. Ultimately it took less time to maintain a secure system than it would have to clean up after a big problem.“

Great insight. Keep them coming!
Russell
Anonymous

ISC Handler

Sign Up for Free or Log In to start participating in the conversation!