A few good metrics for continuous monitoring.

This article outlines a number of metrics that can be used in order to facilitate a continuous security monitoring methodology.

Psychological Screening

The fallout from the recent spate of wikileaks revelations seems to have brought about a sharper focus on the role of the employee in an organisation, and the fact that there is a risk of data breech or theft by the individuals you employ. Two recent articles focus on the need for pre-screening, and ongoing monitoring of psychological issues. A seminar last year from an internal threat analyst at a large UK bank provided a fascinating insight into the factors that can result in an employee being tempted to steal information. Factors include personal financial problems, and so on. It also looks like the federal government are screening for psychological factors such as despondence and grumpiness. If these are actual detection points, then I think I need to install some monitoring software on my system to ensure that I don't steal anything...

The psychological factors are important, but only when allied with appropriate monitoring and controls. One example being the lack of architecture testing that can lead to individuals gaining access rights where none should exist. Proper testing and change control needs to be implemented, but when we consider the number of applications multiplied by the number of users multiplied by the number of permissions, factor in lack of proper monitoring and evaluation of actual permission needs, employees leaving and so on, then we start to get into real difficulty when it comes to this form of assurance.