Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The Dreaded "D" Word of IT

Published: 2014-04-27
Last Updated: 2014-04-27 03:07:06 UTC
by Tony Carothers (Version: 1)
4 comment(s)

Weekends are usually a good time to catch up on the dreaded ‚??D‚?Ě word of IT professionals everywhere‚?¶. Documentation.  Security is a process, and as such requires good documentation to drive those processes.  All organizations have (or should have) documentation to support their efforts and guide their work, typically in the form of a Site Security Plan, Change Control processes, Roles and Responsibilities, etc., etc. These process are in place to support constantly changing systems.  Updating the documentation is often a painful process that is left for less mundane and intriguing tasks, thus it is relegated to weekend work.  

 

The landscape of technology, requirements, threats, and vulnerabilities is changing every day, so the processes we use to support these need to adapt as well.  One key to managing the documents is establishing an annual review process of the document library.  These reviews can be broken up over the calendar year, to spread out the work; the larger documents can be sectioned out to team members for draft input and review over a period of time.  The review process, if possible, should include an objective review from a peer or colleague to assist in providing objective feedback and analysis.

 

Any process works best when it is known, documented, and implemented, and Security processes require the same care and feeding as the systems they serve.  

tony d0t carothers --gmail

 

Keywords: Change CM Process
4 comment(s)
Diary Archives