The assessment is now complete and you’ve attended the closing meeting and have received the findings. Naturally, there are items that need to be addressed. Even in environments that are well-controlled, there are always things that can be improved. This week we’ll look at what the findings mean and considerations for remediating the findings.
Regardless of the type of assessment performed, the assessor will reveal gaps between the current state of affairs and the ideal.place, but a compensating control exists that “for the most part…works”. Of course, there’s any number of possibilities in between and when a weakness in a control is discovered and placed on the report, the organization has several choices to make surrounding the finding.
Findings Report as a Prioritization Tool
Conducted appropriately, the findings will be ranked in severity. Regardless of the labels that are placed on the finding, you can expect that there will be three, four or even more levels. A well-adapted range provides enough granularity to adequately describe the performance of a control and provide some level of prioritization. For example, many of our assessments follow ISACA’s CobIT framework and likewise adopt its Maturity Model. The CobIT Maturity Model evaluates each control and an overall environment’s maturity on a six-part scale:
This scale allows us to quickly and accurately describe a single control all the way up to the entire environment—and does so in a way as to provide some guidance to the stakeholders as to where the organization’s environment falls. While useful, we have found that in addition a Severity Level can convey a certain sense of urgency in fixing the issues that exist. For this reason, we also label each finding with a Severity. Different models have different labels, but once again providing a scale with enough granularity allows the organization to use the information conveyed to prioritize the remediation steps. For this reason, we have tended to use a four stage Severity Level of:
- Best Practice
With Critical findings being the most severe.
Very quickly and effectively, we can communicate the gaps in the current environment to the ideal in such a way that the organization is guided to the right priority for remediation. Depending on the organization, there may be specific ramifications (i.e. escalation, timeframe imposed for remediation, etc.) based on the level of severity. As a general rule of thumb, a Critical finding is something where an imminent threat exists (and more than once, our assessment has actually identified an on-going attack that the organization was unaware of). Organizations where a Critical finding is issued generally remediate the issue immediately – but certainly not more than thirty days. Significant findings, on the other hand, while urgent and important usually require a little more planning to resolve. While it doesn’t have to be, they do tend to be more infrastructure-related items, necessitating a well thought-out implementation plan. With Advisory and Best Practice findings the urgency is removed and the method of remediating more flexible.
So with all of these findings, what choices does an organization have when it comes to the remediation? Recognizing that every organization has constraints on resources, it is unlikely that your organization will be able to completely address every finding – although some do and many come very close.
One of the most misunderstood issues when it comes to an Assessment, is that as assessors it is not our responsibility to “couch” the finding in such a way as to allow a resource-constrained organization to simply sweep it under the rug due to the lack of resources. Said differently, we sometimes find an issue that is cost-prohibitive, yet poses a significant risk; the organization will ask us for a “free pass” on the finding, indicating that there’s no way that management/ownership will ever allow them to fix it. We politely explain to them that this is precisely why we cannot ignore the finding – it is by getting it onto a report and into the right hands that those issues get the attention that they need. Even if IT has been bringing it to management/ownership’s attention for years, somehow the magic of having it on an external report brings with it a way of addressing it.
That being said, not every finding is created equal and therefore neither should the remediation. So what are the options? We’ll examine each, but here’s the list of what we typically see:
- Fix the root-cause of the issue,
- Provide additional evidence that shows that the control is in-place and working,
- Demonstrate a mitigating control (usually manual),
- Change the documented control, and
- Leave as a residual risk
As it turns out, organizations approach the findings in a number of ways. Of course the number one method of remediating a finding is to fix the root-cause of the issue and just get it done. The good news is that many findings simply require attention – perhaps a tweak in a setting, a configuration change here or there, or perhaps installing a simple fix. As a result, a vast majority of findings are actually fixed.
Sometimes the finding isn’t a finding. As mentioned in a previous entry (link to last week’s blog), sometimes when we gather evidence about a control the individual doesn’t give us everything or understand the importance of it – even when we ask repeatedly or phrase it differently. In these situations, when the finding ends up on a report and the person better understands the impact, they revisit things and share with us new information. Sometimes that suffices; other times it doesn’t and it’s more of a Hail Mary attempt.
That last method may be closely related to the idea of demonstrating a compensating or mitigating control. While it is ideal to find technology-related controls that either prevent or detect an issue, sometimes it is not feasible to have a technology-based control in-place. However, to simply ignore any controls surrounding the area of concern would equally be problematic. Organizations, recognizing this problem, often put manual controls in place designed to address the underlying issue. Following the usual control methods, it may be designed to prevent the issue from occurring in the first place and may be placed upstream from the area of concern. In other situations it is placed downstream of the technology and designed to prevent any follow-up activity that the technology-based solution would have addressed. And of course, if a preventative manual control can’t be implemented, then a manual control designed to detect an issue should be put into place.
The next option deals with the actual design of the control in the first place. Oftentimes the control environment evolves over time. Sometimes it expands to include things that were not contemplated when initially put into place and oftentimes controls that have always been in-place are simply left in-place even though the underlying conditions have changed. As a result, a risk that was once mitigated by specific controls may no longer be mitigated or mitigated in its entirety. As a result, the fastest way to bring the risk under control may be to redesign the control structure. When doing so, it’s always best to find a control that will prevent the underlying risk from being exploited, but if it is not possible to put in place a preventative control, one should look to design a control that will detect the exploitation of that risk and alert the appropriate individuals, so that it can be rectified.
Finally, the last option is to leave the finding as-is and simply accept that the risk exists. This may be the result due to a number of different factors – cost of mitigation is too great for the perceived benefit received, there are no viable options due to other factors, other compensating controls can’t be designed without compromising other more important factors, or the organization’s appetite for risk is simply higher than the effort that it will take to remediate the issue. Needless to say, this is typically a last-resort response, but it is a valid method of addressing the findings. In a number of ways, for the department/division/portion of the organization that is being assessed, this can function as a “CYA”, having raised the issue, making management/ownership aware of the problem.
Putting it All Together
Obviously, from an Assessor’s standpoint, we’d love to see every issue that is discovered, rectified. From a pragmatic standpoint, we know that is unlikely in almost all organization. There are diminishing returns on the investment, even if the “fix” is nothing more than some TLC. By looking at the severity of the findings along with the overall objectives of the Assessment, a prioritized remediation plan can be put into place that adequately addresses the findings and over time provides a better overall control environment for the organization.