Welcome

Skeeter Spray is a blog for the common Information Security Professional. Why Skeeter Spray? See Post #1

Sunday, July 28, 2013

Creating an Action Plan from a Security Review


After all the work of performing a security review of an organization, it is time to create an action plan.   This plan must be something the client can use, so it must be.…..actionable.

How do you classify the threats and vulnerabilities that need to be addressed?   Do you do it by functional area, location, responsible area, severity, or by amount of effort to implement the recommendation?

I believe using a table format is the easiest to ready for the client.   Additionally, I believe breaking the table up by function area is also beneficial for the client.  I choose to list the deficiencies by risk level.  This allows the client to quickly identify the highest risk items for each section.  

The typical action plan table will have the following headings

Vulnerable Area/System - The area (Active Directory) or System (Checkpoint Firewall)
Threat Description - A short description of the threat / vulnerability.   The full description and/or risks will either be listed elsewhere in this report or in separate threat analysis report
Severity - The risk level of the threat...High, Medium, Low
Remediation Effort -  This is based on the amount of work that will be required to implement the specific control.  I prefer to use Costly, Moderate, Low.
Recommendation - This is the recommendation to correct the deficiency.  I choose to keep this at a high level, as details can be provided to each responsible area.

Finally, an appendix of definitions.  At a minimum it includes the definitions of the Risk ratings and Remediation Effort ratings.
 
Until next time....
~Skeeter