Monitoring and verifying cybersecurity controls effectiveness

A critical requirement for any cybersecurity management program is verifying the effectiveness of established controls. While most leading cybersecurity control frameworks include verification controls, we call special attention to this as part of the process of managing cybersecurity. Periodically, organizations should evaluate their security controls to determine whether the cybersecurity controls are operating as intended.

There are three primary ways to implement processes to monitor cybersecurity control performance and effectiveness:

1. Establish and regularly review security metrics
2. Conduct vulnerability assessments and penetration testing to validate security configuration
3. Complete an internal audit (or other objective assessment) to evaluate security control operation

Establish security metrics

When it comes to process management, it’s often stated: “You can’t manage what you can’t measure.” It’s no different with cybersecurity. By defining the specific objectives of your security program, you can develop specific measures and monitor these measures over time to gauge process performance. You can think of security performance measures in three main categories (see figure below):

• Operational statistics include the counts of activity within an environment. These don’t necessarily reflect action by the organization, but they do help to build a general awareness of security-related activity within an organization.
• Performance measures are derived or calculated metrics that quantify an organization’s behavior or performance against a stated objective. We think of these in terms of specific action taken by employees to help maintain an organization’s security posture.
• Compliance goals are a specific type of performance measure focused on demonstrating whether an organization is complying with organizational policy.

Conduct vulnerability assessments and penetration testing

In order to verify the effectiveness of security configuration, all organizations should conduct vulnerability assessments and penetration testing. The purpose of the vulnerability assessment is to identify system security patches the organization may have missed or any weak security configurations the organization has applied. Security firms use a variety of automated scanning tools to compare system configurations to published lists of known vulnerabilities.