3.1.6 Monitoring and review

A final aspect of information resource protection to be considered is the need for ongoing management monitoring and reviewing. To be effective, a security program must be a continuous effort. Ideally, ongoing processes should be adapted to include information protection checkpoints and reviews. Information resource protection should be a key consideration in all major computer system initiatives.

Earlier, the need for system audit trails was discussed. Those audit trails are useful only if management regularly reviews exception items or unusual activities. Irregularities should be researched and action taken when merited. Similarly, all information-related losses and incidents should be investigated.

A positive benefit of an effective monitoring process is an increased understanding of the degree of information-related risk in agency operations. Without an ongoing feedback process, management may unknowingly accept too much risk. Prudent decisions about trade-off between efficiency and control can only be made with a clear understanding of the degree of inherent risk. Every manager should ask questions and periodically review operations to judge whether changes in the environment have introduced new risk, and to ensure that controls are working effectively.