Compliance monitoring encompasses two activities:
Managing residual risks
Assuring compliance to the Security Policy
Technical measures alone cannot prevent security violations. The mechanisms and techniques, administrative, procedural and technical, may prevent people from doing unauthorized things, but cannot prevent them from doing inappropriate things that their job functions entitle them to do.
Even a technically sound system with informed, vigilant management and users cannot be free of all possible vulnerabilities. The residual risk must be managed by auditing and thorough backup and recovery procedures, including disaster recovery.
In order to provide individual accountability, auditing is required. For complete accountability, every authentication and every attempted access must be recorded.
Compliance review consists of three parts the security administration staff monitoring its own efforts, the internal audit division of the corporation monitoring compliance with the Security Policy and Standards and external independent auditors monitoring the corporation in light of all appropriate regulatory and internal standards.
The security administration group must have a self-monitoring process that periodically reviews the standards and procedures used in the department. Some items to review regularly are:
Are users and their managers adhering to the standards on a regular basis with few exceptions found when the day-to-day activity is audited for unauthorized security events?
Does the installation fully implement the capabilities of the security system?
Have new features been added or new products been created that could enhance the security of the information assets?
Are the appropriate managers aware of the self-monitoring process and do they respond appropriately when managerial decisions are required?
Are methods in place to address all audit exceptions?