What control activities to verify?

During the validation of control activities you should attempt to make security easier on users and more difficult for attackers. 

Activities to verify may include (not limited to):

  • Prevention (2FA, least privilege, reduce deniability, …)
  • Delay (strong encryption, layering, …)
  • Detect (monitor, detect change, audit, automate, …)
  • Compliance (implementation of corporate policy and standards, including configuration best practices)
  • Recover (verify the ability to reset to the last known good state)

NOTE: validation of control activities is not considered an audit. Auditors should also be evaluated by watching the watcher & comply with segregation of duties. Example: auditors should NOT define the governing policy or have the ability to implement change.

Leave a Reply

Your email address will not be published. Required fields are marked *