Summary
You and your team are near the end of the assessment process. Although there are still some changes to implement, most of the assessment has been completed. This phase started with an analysis of the findings. This was a good opportunity to involve your team in the process and use their input. Just as they were valuable in helping perform the assessment, their skills can be useful in preparing the final report. Hopefully, you have focused attention on the organization’s critical systems and information that were identified earlier on in the assessment.
With this information, you will still need a way to rank your findings. Two qualitative tools were introduced here to help in this process. The first was a raw risk score. It can be calculated by multiplying probability times impact. The resulting value can then be used to calculate a total risk score. The risk score is obtained by multiplying raw risk times the level of control. The level of control is the contributing factor that existing policy has on raw risk. Good polices help hold down raw risk, whereas poor policies amplify it.
A total risk score was calculated for each of the 18 categories of policies that were originally introduced in Chapter 5, “Scoping the Project.” This provided a way to document the findings so that they are easy for management to digest. The result of this work was compiled into the final report. The report not only serves to document what was performed, but how it was performed and what the findings were. These findings should have focused on remediation efforts that could be implemented quickly and inexpensively and also on solutions that may cost more in time and effort but will provide better long-term security.
Note
Not all recommended controls and solutions will be implemented. Some may not be feasible because of time, cost, technical requirements, or the will of senior management.
What should have been most important about the process is that it served as a learning experience—a chance to learn about the organization, determine the systemic causes that led to vulnerabilities, and solve deficiencies with improved policy, procedures, and training. After all, security is a continuous process that builds on lessons learned. Otherwise, as George Santayana said, “Those who cannot learn from the past are condemned to repeat it.”