How do you create a structure for testing the performance of the security arrangements in a given organisation?
I’ve put together eight steps that have previously been applied in physical, personnel, and information security environments to gain an understanding of how well the security arrangements are working or being managed.
1 – Annual Security Assurance Plan
In conjunction with senior management and risk owners. look to develop, produce, and deliver an annual security assurance plan of risk-based assignments aimed at ensuring security risks have been captured and are being effectively managed.
It’s more than useful to obtain executive level approval for the plan. Once approved, ensure that plan is communicated throughout your organisation, clearly setting out the objectives, authority, and responsibilities of the security team conducting these security assurance assignments.
Following on from approval, develop the structure for how these assignments will be conducted. Below is an idea for a formal structure that could be adopted once the business area, owner, or auditee has been identified.
2 – Plan an opening or scoping meeting
A planning meeting should be arranged with the auditee to agree to the areas of scope, and to gain a better understanding of their business area. The meeting should include discussions about setting the appropriate level of questions that enable the level of risk maturity to be determined, confirmation and agreement of area under review, the objective and scope, agreement of the key risks, key contacts, and dates.
3 – Engagement letter
This information can then be used to set out the detail that’s captured in an engagement letter. Once complete, this letter is issued to the principal auditees and senior management before fieldwork starts.
The engagement letter is an essential document within this process because it enables and drives key staff to have an input. It clarifies the work that will be done, confirms the timing of the audit, and establishes the responsibilities of all parties concerned.
4 – Security Audit Programme
Now, a Security Audit Programme should be created. The Security Audit Programme sets out, in more detail, the actual testing that will be carried out to address each of the areas in the scope.
5 – Fieldwork
The audit programme is used as a basis to effectively align the fieldwork with the risks to be reviewed. This programme is the main document that will focus on testing the effectiveness of the security controls and risk mitigations in place.
Fieldwork consists of a range of activities undertaken by the security team and can include: interviewing key staff, observation of key processes, carrying out physical tests of key controls, and a review of any supporting documentation.
The purpose of fieldwork is to gather sufficient information to document the processes under review and form an “opinion” on how well the key security risks are being managed.
6 – Draft report
The output of the fieldwork will then form the content of the report and management action plan to address any highlighted findings.
On completion of the fieldwork — and armed with a copy of the draft report — meet with management and hold a closing meeting (7). It’s at this meeting that the draft report, findings, and any suggested actions to rectify the issue can be discussed.
8 – Conclusions and actions
Based on the assessment of the fieldwork and the content of identified issues, a conclusion should then be assigned — with a defined date of when the identified issues will be addressed — and owners named, as this audit will have a follow-up and be further tested at the agreed date.
When providing your opinion of “how well security risks are being managed”, it’s useful to give a simple conclusion that indicates such thoughts. These conclusion titles can range from “very good” to “must try harder” or “very poor”. It doesn’t matter what the conclusions are called, as long as they mean something to the business.
The report should then have an appropriate level of circulation to enable the business area, its managers, and those who want and need assurance to understand the risks and offer some visibility.
Richard Bell is speaking at IFSEC International 2013. Register to hear Richard speak for free.
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
A great logical flow chart. I would like to suggest step 9; Follow Up.
Rather than waiting for the next annual review, perhaps some follow up to ensure compliance within a shorter time frame would be helpful. This ensures implementation of some of the recommendations and provides feedback on the results — necessary for continuous improvement.
Otherwise it’s too easy to have and extended lag time between the closeout meeting and implementation of the recommendations, negating the value of the whole exercise in some cases.
And that also gives a good opportunity to change the level of certain services, amending them to fit the risk as it may have developed. Great.