The effective implementation of a self-assessment process can increase the value of your information security program. You will get positive response when the program is working well and definite indications when something is wrong. A self-assessment doesn't take the place of external assessments; it complements them by ensuring the best-possible preparation for an external assessment. By following a few tested principles, periodic self-assessment can help make your information security program shine.
Conduct Periodic Assessments
A complete information security assessment should be conducted at least annually, however semi-annual review is preferable. The assessment must be all encompassing, including all elements that would normally be reviewed by any outside auditor or inspector. The assessment must include a review of company policies, procedures, critical or sensitive material safeguarding practices (accountability, transmittal, reproduction, and more), installation and maintenance of information systems, human resource practices (hiring and termination procedures), and other relevant areas.
Use a Checklist
Your primary sources of information will be documents and people. To make your information gathering easier, to ensure completeness and to improve the consistency of your assessment, use a self-assessment checklist as a guide in conducting your security review. To get a clear picture of the state of security at your company you must:
- Know the requirements by which you are evaluated (this is where a checklist will help);
- Know your facility's physical layout (i.e., where the critical assets, sensitive information and intellectual property are stored or worked on); and
- Have knowledge of the business and technical processes involved at your facility.
Your job as an assessor is to verify and validate that your company's information security program is properly protecting critical business and client assets and information. To do this, review your self-assessment criteria against appropriate documentation, people and their actions (processes). Again, this is where a self-assessment checklist will help. It not only addresses information security requirements, but it also organizes them into elements of common security concern.
To create a self-assessment checklist, you must first identify specific areas to be covered in the information security assessment, such as personnel access processes, information systems/technology policies, data classification and handling processes. Your company's information security manager probably has the most comprehensive understanding of the organization's requirements. However, another alternative is to solicit assistance from an independent third party. In addition to providing unbiased results, experienced and knowledgeable third-party reviewers can provide you with current guidance, recommendations and valuable assistance.
Use Top-Down Interviewing
Begin the interviewing process at the corporate or senior management level. Prepare by reviewing the company's corporate information security policy documents. Ask management what is being planned at the corporate level. Are there any buyouts, mergers or facility expansions under consideration? These and other changes may affect your current information security policies, implementation processes and business continuity plans. Then, use the information you obtain during these interviews to tailor your discussions with midlevel managers and general staff.
As with upper management, focus your discussions with midlevel and program managers around the company's published information security policies and practices, concentrating on effectiveness or performance impact within their specific domain. Review what their projects entail, what elements are identified as critical or sensitive, and why. Ask them about the number of their personnel required to access this information (Is there a business need for all persons on the project to be permitted access? Who decides? What is the process?). The list of possible questions can be quite lengthy, and some of the questions recommended for general staff will be applicable, too.
Your interviews with general staff members should address security policies and procedures surrounding not only their particular domain, but should also encompass most areas within your facility, such as visitor control procedures, reporting of security incidents and password policies.
Remind staff that your information security assessment is designed to determine the level of security awareness at your facility and that outside audit agency representatives may choose to ask them similar questions during a formal audit. While only a few employees might actually participate in an outside audit, all must have a working knowledge of approved security practices.
Follow Up With Management
Share your findings from the information security review with management. It's management's responsibility to evaluate the overall effectiveness of the company's information security program, including this self-assessment process, and they will require your feedback to do so. Sharing the results of the review may also prove useful in obtaining support to solve recurring or entrenched security issues.
Document Your Results
It is important, and under some circumstances, a requirement, to maintain a formal, documented record of your information security review. This documentation must include:
- The date(s) of the review;
- A summary of the assessment process;
- The names and positions of participating personnel;
- A description of findings;
- Corrective action taken or proposed (written and verbal, as required);
- Completed checklists (if used); and
- Signatures of assessor(s) and a member of senior management.
This record must be retained for one assessment cycle (not to exceed one year). Additionally, as previously stated, the purpose of this assessment is to measure and help improve the company's information security program. It's a tool for identifying security limitations and improving internal security processes. Therefore, though you may be required to perform, document and maintain a record of periodic security assessments, the detailed results of the assessment are considered "proprietary" to the company, and most times aren't subject to external review.
Summary
By conducting periodic reviews of policies and processes within the organization, a self-assessment program provides reassurance that the security program is working properly and permits early identification of problems when it's not. To make the most of your self-assessment program, conduct periodic and comprehensive reviews, use a checklist, use a top-down interviewing process, follow up with management and document the results of your review.
Self-assessment is a vital component of a mature information security program. If you follow these self-assessment principles, you can make your information security program shine.
Sheri Horseman is a senior security analyst at Dayton, Ohio-based Safe Corp. and has more than 20 years of experience in the assessment, management, administration, implementation, training and awareness of full-scale industrial security programs for the Department of Defense and commercial organizations.