Updating security procedures
Just as security policies should be reviewed and updated on a regular basis, security procedures need the same care and feeding.
For those procedures that are executed on a regular basis (e.g.
For procedures that are executed on a less frequent basis (e.g.
on a specific trigger like a disaster or incident) these procedures need to be reviewed and exercised at a minimum of once per year or as part of the “post-mortem” activities of an actual disaster or incident.
daily or monthly), the review should occur as part of the execution of the procedure.
Just make sure any updates are made in a timely manner.
Your organization has defined a policy (who, what, and why) regarding the creation of backups for critical information.
The supporting security procedure should define when the backups are executed, to what location and medium the backups are written, and how the individual steps to execute the backup are performed.
Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security.
A company's security policy may include an acceptable use policy, a description of how the company plans to educate its employees about protecting the company's assets, an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the security policy to ensure that necessary corrections will be made.
Updating security is crucial as it helps in securing business information being safe and not affecting business activity.
Even though they may have executed the checklist hundreds of times, there is risk in relying on memory to execute the checklist as there could be some distraction that causes them to forget or overlook a critical step.
Much like pre-flight checklists, security procedures guide the individual executing the procedure to an expected outcome. Even though a system administrator has built and hardened hundreds of servers, the procedure to harden the server still needs to be followed to ensure the server is hardened correctly and to a level that still allows operability with the system of which it is a part.