Security reviews are not complete without a developed action plan. The action plans provides guidance and a path toward mitigating threats. Over the last couple of weeks I have had the opportunity to develop an action plan for a fictional organization as part of my studies.
When building upon findings that already exist, the development of an action plan is not overly difficult. Threats have already been identified and documented, so the creation of a mitigation plan is the next logical step. What can be challenging is understanding the customer’s environment so that the action plan makes sense and can be followed.
During security assessments, assessors should learn enough about the network to provide reasonable actions based on the threats found. At the beginning of the term, we worked through some discovery exercises and eventually created a network diagram. This diagram, along with other reports provided within the case study allowed me to design an action plan that the team should be able to follow and implement with little trouble.
An action plan may contain guidance that is difficult to implement. In our case study, senior management was against securing their wireless network. A lot of times these types of directives are political in nature. Political battles are some of the hardest for IT teams to win. Other action items may take several months or even years for teams to implement. In these situations, the action plan will provide high-level guidance but the team will need to create a more detailed project plan that helps them through the change process.
Action plans are a key part of any security assessment. These high-level guidelines help teams reduce their risk and improve the security posture of the organization. Some actions will be more difficult to implement than others, especially actions that require changing user behavior or deploying stricter security controls.