After you've completed an audit and uncovered issues in information security at your organization, it can be tempting to veer toward inaction. You have other things to take care of and you don't have the time to fix everything right away. But of all the choices you can make, inaction is the worst one. After all, the purpose of the audit was to discover strengths and weaknesses. If you want to achieve greater data security, less downtime and a better all around security posture, then your mandates and priorities need to be clear.
What to do after your information security audit
The first step to remediation is organization. You know the value of what you found based on how you prioritized your audit, so it stands to reason that you could prioritize your reactions in the same manner.
The first step to remediation after your info security audit is organization. Click to tweet
Rate your security remediation needs chronologically. Which holes do you need to fix within the next 24 hours? The next week? The next three months? The next year? If you have compliance needs and your audit was informed by your compliance mandate, that will also inform how quickly you need to perform remediation.
Next, start sourcing fixes for those high-priority vulnerabilities. If you aren't aware of the possible fixes, it can be beneficial to have a third-party consultant run through a remediation plan based on the vulnerabilities your audit discovered. They can detail which patch you must apply in order to fix a vulnerability in your VMWare server, for example, and how to apply it.
Depending on who is driving your audit (your IT team, just you, the C-suite), fixing vulnerabilities may be beyond the scope of their expertise. That just means it's time to find the right human resources to assist. For instance, if you find a performance issue with a VMWare server that could cause a security weakness, and you don't have a VMWare certified professional on staff, you'll need to hire an outside organization to determine the best course of action to resolves the issue.
Once you've prioritized your needs, found the right resources, and completed the first steps toward remediation, it's time to look toward the future. As SANS detailed way back in 2003, security auditing is a continuous process. If you have any compliance regulations, you'll have to do this same process again, based on your mandate. Start preparing for your next audit by creating a timeline and a budget informed by your last audit. Consider the amount of work your internal staff can't take on, and who will — and either factor in the cost of that third party, or factor in training costs. What would it take to make sure your staff could handle the audit and the remediation efforts on their own?
With a remediation plan (followed by expert execution, of course) and a budget and timeline for your next audit in hand, you've accomplished what you set out to: a successful infosec audit whose results ultimately strengthen your security posture.
Originally published on 11/03/2016