Making sure security controls are working as expected is just as important as making sure backups are operating properly or patching is applied correctly. It isn’t uncommon for controls to fail, creating significant exposures. This can be common, for example, in EDR not blocking an exploit, or a guardrail failing to stop a public S3 bucket. Very rarely do companies revisit a security control put in place after it is initially setup unless it is pointed out in a security assessment.
Simply having the security control in place isn’t enough, controls must be regularly tested and adjusted according to any changes in risk profile or environment. Without regular check-ins, the practical effectiveness of a control declines over time. Without an initial verification that it is in place as expected, the effectiveness is capped well below potential capability. Here are a few tips to get started:
- Clearly outline the expected areas of applicability for a control. Define these and share with any relevant parties.
- Align to a control framework such as ATT&CK or CSF, keeping things easily transferable to new risk evaluations.
- Select an appropriate methodology, using configuration guides that fit best with the environment. CIS provides many working documents as do most vendors.
- Perform annual security reviews to ensure controls are still relevant and working as expected.
Keeping to this guidance will ensure longer term usefulness and best the best ROI on security control investments.