“Who watches the watchers?” is an often overheard question when we assess the information security program of clients. Way too often, the answer is either, “Huh?” or “No one, really.”. That’s a LOT of trust for an organization to place in an individual or small team.
At least in a small team, you hopefully have peers checking each other’s work. You do that right? You either rotate duties, have a peer review process or otherwise make sure that a second set of eyes from the team double checks critical work in a peer review methodology. That’s what mature teams do, and they do it both often and formally. This is a great control and an effective means to build cooperation between team members.
The problem gets harder when your security team (and/or IT team) is one person. Then it absolutely REQUIRES that someone, be it a manager, another department peer, an auditor or even a consultant checks their work periodically. After all, if they manage the servers, the firewall, the network, the intrusion detection and the logging, they essentially have complete control over the data and can do as they please without fear of getting caught. Now, that is not to say that folks in this role aren’t trustworthy. They usually are. The problem is that some are not and to further complicate the matter – it is often quite difficult to tell the difference between the honest and the dishonest humans. So, as we always say, “Trust, but verify…”. Implement an ongoing process for peer review, even if that peer is an auditor or consultant. Have them come in and double check the progress for this quarter. Ask them to spot check reports, logs and configurations. It’s not comprehensive, but it at least sends a message that someone is checking and just having someone checking different items often leads to interesting discoveries, usually not of a malicious nature, but often times something missed in the day to day.
How does your organization use peer review? What works and what hasn’t worked for you? Leave us a comment or drop us a line on Twitter (@lbhuston) and let us know.