2.1 Centralize Existing Findings Reports in your Environment
In most organizations, security has been around long enough that there is a litany of previously performed security assessments that exist.
Though these previous assessments will have varying scopes, quality, or primary areas of focus, and perhaps maybe even been remediated, they are much more meaningful when aggregated and organized together. Doing this adds a sense of proactivity to your efforts as well as some calm if you are feeling overwhelmed.
So this activity it is all about collecting any potential findings reports that may provide insight and centralizing them into a central database. This database, often a spreadsheet, will be designed in a manner in which all of the information can be normalized so that the data can be used together later on.
Have a Question? Contact us
Centralize Security Program Findings Tips:
Tip 1: Garbage in, Garbage out. Ensure to try and collect any findings that are relevant to providing insight about your current security posture. If you have gaps in your identified findings, it is impossible to get to a valid roadmap in step 3.
Tip 2: Don’t be picky on what you collect for inclusion. Determine relevance of findings report for security after you review it, not before. One big caveat to Tip 2 above is to leave findings from technical vulnerability scanning activities, such as Nessus, Rapid 7, etc out of this activity for now. The reason is that though these findings are critical, they are too detailed for this step in the process and therefore should be handled using a more appropriate approach.
Tip 3: Absolutely include duplicate findings. When you fix this issue, you get to cross off all those duplicates for free; doesn’t get better than that
Tip 4: Take time to learn the story behind each finding, even if in an old report. I have often found that old findings, especially if they have never been fixed, provide the best insight into remediation approaches to use in the future, and which ones that did not work. If a finding was not fixed, I want to learn why so that I can remove this roadblock later on when I execute on my remediation plan.
Tip 5: Don’t worry if the report was performed by another group in your organization. For example, if you are in the information security office don’t be afraid to collect reports that may live in groups such as finance. Groups like finance, especially if your organization is publicly traded, are often subject to assessments like General Control Reviews for SOX. These reviews often have great insight about information security safeguards and the findings will be directly related.
Tip 6: Some common areas to locate this information include:
- Any assessments performed by or for the information security program
- General Controls Assessments for Sox
- Readiness assessments for SAE16
- Finalized SAE16 opinions
- Any internally or externally performed assessments by Information Technology groups
- Previous security assessments performed on your organization by your customers
- Regulatory Assessments such as HIPAA for healthcare, FFIEC for banking, etc. Often driven by the compliance office
- If you process credit cards any assessments associated with the payment card industry (PCI)
Tip 7: The best way to collect these reports, especially if they live in varying groups around the organization, is simply to ask for them. Easy enough, but often for some reason people are afraid to ask for reports if they are in groups outside of their control. Don’t be, this fear is unwarranted, especially if you take the time to tell the people you are requesting the reports from why you want them.