When designing security controls, it is necessary to determine if the controls can be executed effectively.
Somehow due to unexpected situation, controls are defeated. To avoid this pitfall, holistic assessment is required during:
- Design stage if intended control function is effective without being circumvented, the design effectiveness review
- O&M stage if the control can be operated as per design, the operation effectiveness review
The entire life cycle of digital solution shall be:
- Identify the business value at initiation such that necessary and optimal controls are in place to minimize the business impact; this acts as procurement requirement
- Determine proposed controls during design if they are effective and if not, develop necessary compensating controls. A typical example is the guard patrol to validate if CCTV are still operating properly
- Validate controls before system goes live; rectify any deviations in the deployed solution from design
- Assess if controls are effective to combat new threats during O&M regularly
- Dispose controls securely at retirement of the digital solution