How to properly design, select, analyse and implement controls?

Well the beginning is no surprise – start with understanding the current state of IT Risk. Test the controls, understand incident management programs.

Then use the current state to create a reference point. This will enable you to understand a gap which needs to be addressed.

Once you know where is the gap, understand the reason behind it. This will help you in finding out a solution to address this gap.

When thinking about controls remember that there are two main types of them:

  • proactive – e.g. warning sign,
  • reactive – e.g. fire extinguisher.

When introducing controls remember about proper Control Management Procedures, it will make the life of the organization much easier. Below are the most important components of such procedures.

  1. Proper installation.
  2. Policies and procedures supporting operations.
  3. Change Management.
  4. Training of staff to monitor, manage and review controls.
  5. Assignment of responsibilities.
  6. Schedule for review and reporting.
  7. KPIs.

How about a situation when implemented controls are not enough? We can try to introduce compensating measures:

  • layered defense,
  • increased supervision,
  • increased audits,
  • logging of system activities.

Extras:

Changeover (Go-live) Techniques:

  • Parallel Changeover – both old and new system,
  • Phased Changeover – replacing individual components or modules,
  • Abrupt Changeover – single-instant movement from the old to the new one
    – abrupt may be used when the rollback is relatively assured or the impact is minor.

Rollback (fallback):

  • post-implementation review as soon as practical,
  • lessons learned,
  • second joint-review with already some time in production.