Security Management

Evaluation and Maintenance

Evaluation

It is impossible to improve something you don't know about. It is therefore essential to evaluate compliance with the security measures, their results and the level of compliance with SLAs.

Although not essential, it is advisable for these evaluations to be backed up by external and/or internal security audits conducted by people who are independent from Security Management.

These evaluations/audits should assess the performance of the process and put forward improvements. These will be set out in RFCs, which will be sent for evaluation by Change Management.

Independently from these periodic evaluations, independent reports should be produced each time a serious security-related incident occurs. Again, if Security Management sees fit, these reports will be accompanied by the relevant RFCs.

Maintenance

Security Management is a continuous process and the Security Plan and security-related sections of the SLAs need to be kept up-to-date.

Changes in the Security Plan and the SLAs may be a result of the evaluation referred to above, or of changes made to IT infrastructure or services.

There is nothing so dangerous as the false sense of security that obsolete security measures give.

It is also important that Security Management is up-to-date regarding new risks and vulnerabilities caused by viruses, spyware, denial of service attacks, etc. and that the necessary hardware and software upgrades are made. The human aspect should also not be overlooked: the human element is usually the weakest link in the chain.