Other than controls must be enforceable, controls must also be robust because a defeated control will be an access gateway by threat actor.
Threat actors will try to evade controls to reach the jewel. Therefore, controls will need regular status check. In physical world, guard patrol is needed to observe the actual situation.
With more assets staying in cyber, cyber controls will need regular verification to remain their intended purpose. This could be achieved via multiple means depending on the protected value:
- Regular authenticated with time of date sequence to the central station
- Periodic assessment to validate if false positive or false negative
- Red team exercise as unannounced drill for readiness of the entire protection suite