The Aftermath Of An Assessment
You just had your Security Assessment completed and received the debrief, which is a report detailing each potential security vulnerability that was identified. As many organizations have done in the past, you review the report and wonder where to begin. These reports could be lengthy if the assessment identified a large amount of potential vulnerabilities. Most organizations read the executive summary and realize that they do not have the experience or background to mitigate the potential vulnerabilities that were identified so they toss the report to the bottom of their to-do list and hope for the best.
As some security firms fail to properly educate their client on what the report will contain along with not properly guiding the client into their next phase, top tier security firms are left picking up the pieces as we need to assess what the previous firm completed and where they left off. All security firms should explain their findings and provide a high-level approach on ways to mitigate the potential vulnerabilities that were found. Additionally, most organizations assume that security programs can be embedded into other “technical” business units whose primary focus is not securing the enterprise. This causes multiple stumbling blocks when the mitigation steps are being implemented.
This is where Slate takes a different approach when we perform our assessments. We look at our clients as a Partner, educating them on why failures occur with specific security controls. If they do not understand the Control that failed and why, they are doomed to never correct it. This may take more time during the assessment, but this exchange of information creates a level of trust and understanding to show that we are really there to assist them and not tear down their infrastructure.
When we review the debrief with our partners, we suggest that they approach the findings report in a methodical and scaled approach. The initial step is to categorize the findings based on severity level. Categorizing by severity will be different for each client. There isn’t a one size fits all when evaluating risk levels. The only way to do this is to understand the value of the data elements being protected, this includes monetary and non-monetary values. The next step will be to determine the complexity to mitigate the vulnerability and the cost to implement. These steps will help with identifying the actual risk levels, which will determine if the risk is at a point to correct or accept the risk.
Breaking down the findings using this approach will help create a Plan Of Action & Milestones (POAM) to track the progress in mitigation. It also helps create a sense that correcting the findings are not out of the realm of possibility. The goal is to work WITH your partners and provide the guidance needed after the assessment is completed so they realize that implementing a proper Security Program after an assessment is complete is important but also takes time if done properly.