Security Remediation Planning
“People are spending a lot of money right now on remediation planning, but they are surprised that they are not getting the results they expected.” -Mike Gentile
Many organizations plan on how to fix significant amounts of security issues within their organizations. These issues range from large-scale system patches for vulnerable systems to addressing a lack of security-related processes such as risk management.
This article is designed to help executives that may not have information security backgrounds with tips and considerations for planning their remediation activities.
Tip 1: Understand the difference between tactical and foundational planning efforts
Tactical efforts are considered groups of one-time tasks performed expediently. For example, the remediation of a large group of security vulnerabilities on systems.
Foundational remediation efforts are associated with setting up and establishing repeatable processes or standards to perform remediation activities.
Tactical efforts get you a one-time benefit from their performance while foundational activities get you more efficient and effective progress over time.
Tip 2: Focus on both tactical and foundational efforts during planning
Organizations are experiencing both complexity and breadth of work when it comes to security program development and planning.
In order to succeed, it’s best to focus on both tactical and foundational types of work in varying doses based on the business need. Finding the right balance is essential to ensuring that work is done in the most cost-effective manner.
Tip 3: Define standards and processes to do the work and then do it
In any organization, your requirements and standards for security should be demonstrated through your suite of security policies, standards, and guidelines.
It’s highly recommended that your tactical remediation efforts are performed against your security policies and standards. If your existing policy set is not accurate or good enough to be used, then you should fix this before going and taking on large amounts of tactical efforts.
Tip 4: Parse the work and then run them through the new process
Many tactical efforts in Information Security are associated with large amounts of repetitive tasks. For example, patching 20,000 systems in your environment.
Instead of just going and fixing all 20,000 tactical items at once, build the associated process for performing this work, a foundational effort, and then push some of the tactical work thru it. In this example, break off say 1,000 of those vulnerabilities and run them through the new process.
After the first 1,000 are fixed, improve the process based on the lessons learned from that work, and then go on and fix the rest using your enhanced process.
Want more information? Contact one of our information security experts.
CISOSHARE’s President and CEO
Mike Gentile has been helping organizations build Information Security Programs for more than 20 years. He has written multiple recognized books on the subject, provided hundreds of presentations, and built many Security Programs in both internal and external consulting roles