How do to turn controls into increased efficiency?
- Create the simplest process and procedures your team can and will follow
- Identify relevant metrics to measure output and quality
Identify and evaluate opportunities to automate stable, manual procedures:
- Will the investment in automation tools increase output or quality? (ideally both)
- Are the identified tools already in use elsewhere in the organization? Experience can help identify potential hurdles and limitations
- Who is impacted by the automation?
- Will they need training to adapt to the automation, or perform new activities?
- Consider the ongoing maintenance costs
- Maintenance contracts to ensure you have access to security updates and new versions
- Someone will need to maintain the automation technology
Procedures aren’t the end of creativity and adaptability. A procedure is the business version of a habit. Think of your morning routine:
- Turn off the alam
- Get out of bed
- Go to the bathroom
- Brush you teeth, and so on
You don’t really think about what you’re doing, and that’s a good thing. Your mind is getting ready for the day ahead, which is where your energy needs to be focused.
Now think of how you might start your day at work in the office:
- Walk into the building
- Swipe your badge
- Get some coffee, say hi to your colleagues
- Walk to your work area or office
- Login to your computer
- Open your email, browser, and so on
A simple procedure doesn’t mean it has less than 10 steps. It means that someone with basic knowledge about the work can execute the tasks successfully.
Example: Password reset requests
Current situation: Staff may call the helpdesk, send a request from their personal email, use WhatsApp to contact their favorite admin, whatever works.
New procedure:
- Staff MUST contact the helpdesk using the designated number, email address, or contact form. All other requests must be redirected.
- The helpdesk:
- Creates a request linked to the person.
- Confirms the person’s identity:
- Have access to information provided by each person, saved in a central, secure location. This should not be personal information; it’s confidential information the person shared for the sole purpose of identifying themselves. For example, a set of questions and answers of their choosing.
- NOTE: If identification fails, the request is changed to a security incident.
- Choses a new, random password, generated by random.org
- The requestor confirms they can access the site, system, or app.
Metrics:
- Number of password resets per period
- Number of security incidents generated from password reset requests
- Number of times the requestor failed in using the new password
While the procedure may be functional, as an organization grows, it may become tedious to have an ever-increasing number of password-reset requests. However, the Service Desk and Cybersecurity should be monitoring the metrics (amongst others) to see if there are opportunities for improvement, such as:
- Self-service account management portals
- Passkeys to replace password altogether
The process described above would be acceptable for a SOC 2 attestation, and the improvements should comply with all frameworks and regulations, as far as I know.
Did I miss something?