Operational Risk: Remediation, Root Cause and New Controls
By Gideon T. Rasmussen, CISSP, CRISC, CISA, CISM, CIPP

January, 2013

An organization is at risk when security vulnerabilities are present. This article outlines practical ways to accelerate remediation within the risk tolerance of senior executives. It also includes tips to increase efficiency. That provides capacity to implement new safeguards without increasing headcount.

Maturity Level One: Facilitate and track remediation

I. Establish foundational program components


Remediation Standards

Start by defining vulnerability severity ratings with associated remediation requirements. For example, NOAA 60-703 has the following policy: "all Critical and High vulnerabilities will be remediated within 30 days and all Medium vulnerabilities within 60 days. Low vulnerabilities will be remediated after the High and Mediums are remediated".

Configuration Management Database (CMDB)

A CMDB is used to document systems, databases and applications. When a security issue is identified, associated remediation contacts can be found here. Include system and data owners as a best practice.

Remediation Process

Define how security issues are declared and tracked to closure. Include each role involved within the process. This initial documentation will evolve over time.

Security System of Record

Use a System of Record to track security issues from when they are identified to when they are confirmed as remediated. A SharePoint Site may be sufficient initially and can be useful to drive out requirements for a Governance, Risk and Compliance application.

Accountability

Remediation begins with identifying those responsible for resolving issues. Assign a security professional to track each issue to closure. Identify an accountable person to provide status on plans to remediate each issue. Examples of Issue Respondents include System Administrators and Developers. Establish custom roles to ensure accountability from the Issue Respondent up the management chain to senior executives.

Reporting Portal

Reporting provides executives with visibility into security issues from risk and compliance perspectives. Refer to my Enterprise Risk and Compliance Reporting article for more information.

Welcome Packet

Create a document that explains the program in a user friendly manner. Begin by defining roles within the process. Explain how issues are declared and communicated. Provide an overview of remediation requirements. Describe escalation processes. Conclude with security resources and a contact for questions. Conduct briefings to explain the program. Provide the Welcome Packet as a reference document.

II. Influence remediation within standards

Remediation can be accelerated by leveraging roles, responsibilities, standards, reporting and communications.

Facilitate and track remediation

Create a template for facilitating remediation and iterate on it over time. The subject line is important. Mention the risk rating to draw attention to the issue. Include the issue number to make it easy to search for related messages.

  Subject: High Risk Issue: (Issue Number)

Request a target remediation date in the first message. Provide the vulnerability name, issue due date and reference your company's remediation standard. Keep the e-mail thread intact (i.e. in one piece). That retains the history of the issue, which can aid in escalations. Always address one person for accountability.

Keep in mind that a target remediation date that matches the due date is always questionable. The Issue Respondent should have a plan to remediate each issue. Findings should be addressed well before the remediation standard due date from a risk perspective.

Establish meeting routines

Meet with managers and executives proactively to learn their roles and discuss how they fit into the program. Keep in mind that technology teams are focused on providing new features and functionality, with the goal of enabling the business to generate revenue. Establish relationships and solicit feedback from management. Make efforts to minimize productivity impact and compliance burden. Establish quarterly 1:1 meetings from that day forward to keep in contact.

Send notification of high risk issues

Send notification of high risk issues within 24 hours of the time they are declared. High risk issues must be remediated within a short time frame. Every day counts when you take into consideration researching the issue, developing a fix, testing the fix and implementing it within a maintenance window. Recipients should include the individual contributor responsible for remediating the finding, with every person in the management chain up to senior executives.

Establish a risk registry

Establish a policy that requires sign-off by an executive if remediation standard due dates will be exceeded. Document delinquent issues in a risk registry. This ensures risk transparency. People are also less likely to miss a remediation due date if their executive has to sign-off on the risk registry entry. Send the policy to all affected personnel. Refer to the ISACA Risk IT Framework for more information.

Send notification of watch items

Send a 'heads up' message to Issue Respondents on Week # 1. Let them know there are watch items in their space and the executives will have visibility the following week.

Watch items should consist of:

· Issues older than two weeks with no target remediation date
· Issues with target remediation dates that occur in the past
· Issues that are past due or have a target date that exceeds the remediation standard, with no risk registry entry in place

On Week # 2, send the current list of Watch Items to executives. Repeat the process bi-weekly to keep the portfolio of issues under control.

Embed Watch Items into established communications routines such as staff meetings. Notification is critical to driving executive awareness and accelerating remediation time lines.

Escalate when appropriate

Keep in mind there are degrees of influence. Start with introductions of requirements. Raise awareness of the risk. Establish an understanding of why an issue cannot be remediated within standards. Offer to escalate in partnership (together) to gain the necessary resources. Contact the appropriate executive to help ensure out-of-budget funding does not become a constraint.

Be deliberate when escalating. For example, within the message body: Adding Jane Smith to the Cc for awareness. Call a meeting if an e-mail volley begins or if frustration is expressed by those responsible for remediation.

Recognition

When an assessment or scan completes with only low risk issues send a recognition e-mail to the accountable manager and their executive.

Maturity Level Two: Determine root cause and prevent re-occurrence

Examine issue trends within system and application portfolios. Establish controls to prevent identified vulnerabilities. In cases where that is not practical, focus on ways to keep reoccurring vulnerabilities from being exploited.

Maturity Level Three: Focus on increasing efficiency and capacity

Look for ways to meet goals with reduced resources. One example is to free up capacity through self-service scanning. Configure an existing scanning tool to eliminate the vast majority of false positives. Integrate the tool into IT quality change processes. Use the increased capacity to implement new preventive and detective controls.

Maturity Level Four: Conduct evaluation for undetected security issues

Conduct pilots of new security technologies at least annually. Evaluate commercial and open source software. Consider tools used by the hacking community. Continually look for new tools for ethical hacking assessments and for routine scans.

Maturity Level Five: Alter risk model to detect issues with existing techniques

Consider how security scans and assessments are deployed based upon risk. For example, if current coverage finds a population to be compliant year over year, consider reallocating resources for one cycle to a population that has never been evaluated. Refer to my Information Security Risk Model article for more information.

The point of this article is to raise awareness of security issues to those responsible for remediating them. Make use of existing IT processes to drive remediation. The increased capacity can be used to discover new security vulnerabilities and to implement new safeguards. Security personnel and associated controls impact the bottom line. It is critical to focus them on business risk, in a lean and effective manner.


About the author: Gideon T. Rasmussen is a Charlotte-based Information Security Risk Manager with over 15 years experience in corporate and military organizations. His website is www.gideonrasmussen.com. The opinions expressed here are those of Gideon Rasmussen and do not necessarily represent those of his current or past employers.




Originally published by RiskCenter (January, 2013)