After
all the work of performing a security review of an organization, it is time to
create an action plan. This plan must
be something the client can use, so it must be.…..actionable.
How
do you classify the threats and vulnerabilities that need to be addressed? Do you do it by functional area, location,
responsible area, severity, or by amount of effort to implement the
recommendation?
I
believe using a table format is the easiest to ready for the client. Additionally, I believe breaking the table up
by function area is also beneficial for the client. I choose to list the deficiencies by risk
level. This allows the client to quickly
identify the highest risk items for each section.
The typical action plan table will have the following headings
Vulnerable Area/System - The area (Active Directory) or System (Checkpoint Firewall)
Threat Description - A short description of the threat / vulnerability. The full description and/or risks will either be listed elsewhere in this report or in separate threat analysis report
Severity - The risk level of the threat...High, Medium, Low
Remediation Effort - This is based on the amount of work that will be required to implement the specific control. I prefer to use Costly, Moderate, Low.
Recommendation - This is the recommendation to correct the deficiency. I choose to keep this at a high level, as details can be provided to each responsible area.
Finally, an appendix of definitions. At a minimum it includes the definitions of the Risk ratings and Remediation Effort ratings.
Until next time....
~Skeeter
