Building a Risk Remediation Program

February 3, 2016 By
Download story as PDF

Challenge

Our client, a leading fashion specialty retailer with locations across the United States and Canada, was not managing risk remediation in a consistent and effective manner. Issues included the inability to know if vulnerabilities found were being remediated, unclear roles and responsibilities, and inconsistencies in level of testing, definition for risk ratings, and expected remediation dates, resulting in missed vulnerabilities in business-critical systems. Furthermore, the company did not have a Governance, Risk, and Compliance (GRC) tool for tracking and managing risks or a single repository in which to store findings in order to accomplish trend analysis.

To address these issues, the Information Security & Compliance (ISC) team was tasked with developing a Risk Remediation program, and contacted Kalles Group (KG) to assist.

Approach

A KG consultant was brought in as a Senior Information Security consultant on the Information Security & Compliance (ISC) team, which serves as the custodian for information security policies and standards, and interacts with other teams to drive policy compliance.

The team determined that the Risk Remediation Program would be comprised of three programs: Vulnerability Management, Risk Management, and Risk Remediation Management. Goals would include:

  • A unified remediation process supporting ISC governance
  • Common prioritization via the ISC Risk Management Program
  • Consistent destinations for reporting
  • Consistent visibility to remediation action items

Among the primary challenges for establishing the program were obtaining buy-in from the various teams that would be responsible for supporting the program. This was obtained through establishing professional working relationships with key stakeholders, presenting the solution formally for review, and actively soliciting their constructive feedback.

Solution

The foundation for the Risk Remediation program was rooted in NIST special publication 800-42 v2 as well as SANS guidance. The program is cyclical in nature and activities typically occurred concurrently once the program was implemented.

A series of presentations was delivered to introduce the organization to the concepts of Risk Management and Risk Remediation. The presentations were initially shared with first level managers and subsequently to higher leadership levels in the organization, culminating with a presentation to the ISC Core Team and the ISSC team (a sub-group of the Board of Directors).

Costs were minimized through the use of existing tools—Microsoft PowerPoint, Excel, Word, and SharePoint—in order to establish the process framework for implementation of the GRC tool. Standard operating procedures were thoroughly documented and automation via existing tools and templates was leveraged where feasible and appropriate.

Results

Our client now has the capability to produce Consolidated Risk Reports that incorporate findings from multiple sources, translate native measurements to common risk nomenclature, and consistently prioritize based on criteria relevant to the client. In addition, accountable groups no longer need to decipher priority between multiple, proprietary report formats.

Furthermore, trend analysis is now available from consolidated data associated with findings. For instance, our client processes accounted for patching (e.g., Patch Tuesday) only once a month and the field  process for resolving issues consisted of re-imaging a machine (or register) from an image that was over 18 months old. By charting the cumulative growth of vulnerabilities, the KG solution for Risk Remediation quantifiably displayed that the rate of vulnerability growth was outpacing the existing process. As a result, the IT support team updated the baseline image and increased the frequency of patch releases to address the cumulative vulnerability growth issue.

Our client now has the capability to produce Consolidated Risk Reports that incorporate findings from multiple sources, translate native measurements to common risk nomenclature, and consistently prioritize based on criteria relevant to the client.