1 00:00:00,005 --> 00:00:02,004 - [Narrator] Implementing security controls 2 00:00:02,004 --> 00:00:05,007 is only the beginning of the risk management journey. 3 00:00:05,007 --> 00:00:07,007 Security professionals must perform 4 00:00:07,007 --> 00:00:10,008 a variety of ongoing activities to ensure 5 00:00:10,008 --> 00:00:13,005 that risks remain properly managed. 6 00:00:13,005 --> 00:00:16,004 These include monitoring and assessing controls, 7 00:00:16,004 --> 00:00:20,000 measuring control effectiveness, reporting, 8 00:00:20,000 --> 00:00:21,009 and continuous improvement. 9 00:00:21,009 --> 00:00:25,004 Risk assessments represent a point in time analysis 10 00:00:25,004 --> 00:00:27,007 of the risks facing an organization 11 00:00:27,007 --> 00:00:32,001 and the ability of controls to manage those risks properly. 12 00:00:32,001 --> 00:00:35,004 The risk environment changes on a regular basis, 13 00:00:35,004 --> 00:00:37,009 and organizations should routinely review 14 00:00:37,009 --> 00:00:41,003 their risk assessments as well as perform periodic 15 00:00:41,003 --> 00:00:44,001 control assessments designed to test 16 00:00:44,001 --> 00:00:47,009 the correct functioning and effectiveness of those controls. 17 00:00:47,009 --> 00:00:51,002 For example, most organizations use a firewall 18 00:00:51,002 --> 00:00:53,008 to block unwanted network traffic. 19 00:00:53,008 --> 00:00:56,001 A control assessment of the firewall 20 00:00:56,001 --> 00:00:58,003 might use network scanning tools 21 00:00:58,003 --> 00:01:01,000 to verify that the firewall is not allowing 22 00:01:01,000 --> 00:01:04,008 any unwanted traffic through the network perimeter. 23 00:01:04,008 --> 00:01:07,009 Organizations should also conduct routine measurement 24 00:01:07,009 --> 00:01:10,007 of the effectiveness of their security controls 25 00:01:10,007 --> 00:01:15,000 and use this information to inform management reporting. 26 00:01:15,000 --> 00:01:17,003 For example, an organization might track 27 00:01:17,003 --> 00:01:19,009 the number of compromised end user accounts 28 00:01:19,009 --> 00:01:22,004 as a means to evaluate the effectiveness 29 00:01:22,004 --> 00:01:24,006 of anti-phishing controls. 30 00:01:24,006 --> 00:01:27,000 They might also track the number of vulnerabilities 31 00:01:27,000 --> 00:01:29,004 detected in public-facing systems 32 00:01:29,004 --> 00:01:31,006 as a means to evaluate the effectiveness 33 00:01:31,006 --> 00:01:35,002 of operating system and application patching efforts. 34 00:01:35,002 --> 00:01:37,005 Organizations seeking to assess the security 35 00:01:37,005 --> 00:01:40,003 knowledge and skills of software developers 36 00:01:40,003 --> 00:01:42,004 might use the number of critical findings 37 00:01:42,004 --> 00:01:45,004 in initial scans of web applications. 38 00:01:45,004 --> 00:01:47,003 Finally, organizations might use 39 00:01:47,003 --> 00:01:50,008 the number of data breaches requiring notification 40 00:01:50,008 --> 00:01:54,003 of individuals as a measure of the overall effectiveness 41 00:01:54,003 --> 00:01:56,003 of their security program. 42 00:01:56,003 --> 00:01:59,000 All of these measures provide valuable information 43 00:01:59,000 --> 00:02:00,007 to management as they seek 44 00:02:00,007 --> 00:02:04,001 to refine their information security programs. 45 00:02:04,001 --> 00:02:06,000 All security programs should embrace 46 00:02:06,000 --> 00:02:08,004 a spirit of continuous improvement 47 00:02:08,004 --> 00:02:11,000 that seeks to enhance security controls 48 00:02:11,000 --> 00:02:14,001 and improve the overall state of information security 49 00:02:14,001 --> 00:02:16,006 in the organization over time. 50 00:02:16,006 --> 00:02:19,001 The results of control effectiveness measures, 51 00:02:19,001 --> 00:02:22,000 risk assessments, and expert knowledge 52 00:02:22,000 --> 00:02:25,004 should feed this continuous improvement process.