So you have completed your security controls assessment. You have beautiful risk assessment reports, and a big beautiful plan of action and milestones (POA&M). Now what? You have to bring your plan to manage risk into reality.
According to the Department of Homeland Security’s Office of Cybersecurity and Communications, if you stacked all of the paperwork generated by assessment and authorization packets, it would stand almost as high as the Washington Monument. Assuming the risk was properly assessed to begin with, all that documentation still doesn’t guarantee successful risk mitigation. However, here are three tips to ensure success at the point of execution:
1. Use Project-Management Methods
A POA&M is a list of the shortcomings found either during an assessment, or risks that the organization has identified in day-to-day work that it would like to mitigate. It contains:
- The risk
- The risk severity
- The planned risk mitigation
- Who is responsible for the risk mitigation
- When the mitigation will happen (to include milestones)
- The resources required to mitigate the risk
- The status is of the risk mitigation
So the POA&M is essentially a project schedule. According to the Project Management Institute’s Project Management Body of Knowledge (PMBOK), developing the project schedule “is the process of analyzing activity sequences, durations, resource requirements and schedule constraints.” This means that in addition to the risk level, the organization must also consider:
- Availability of resources needed, especially if they come from multiple organizations, like security, operations, and development.
- Dependencies between risk mitigations (i.e., in order to do this, we must do that first).
- The expected duration of each risk mitigation task.
So the schedule of risk mitigations is greatly influenced by, but dependent on more than, just the risk severity. By developing the POA&M using the same methods for managing the scheduling of a project, it is realistic, and therefore executable. Obstacles, such as new, high-priority development requirements, that might sap resource time away from mitigating risks and regression testing the risks can be better foreseen and compensated for. If the organization uses a process like Agile, the risk mitigation becomes another user story that needs to be added to the backlog, and assigned to a sprint like any other requirement.
2. Collaborate at the Organizational Level
The POA&M is an organizational document, just like a project schedule. It must be collaboratively developed with those who will execute it, not merely thrown together by the security office. Because the POA&M should drive resource allocation and utilization like any other requirement, it should be reviewed routinely during meetings, such as configuration-control boards, change-management boards or sprint-planning meetings.
3. Promote Accountability
Like any other task on a project schedule, it should have an owner and resources allocated to it. When reviews are held with upper management, the task (or in this case, risk-mitigation) owner should be the primary driver of updating the task status. The task owner should also be the individual most closely aligned to managing the asset (e.g., webserver, database server, voice-over-IP call manager) for which the risk is being mitigated. This enables a more accurate description of the risk mitigation and its current status. Often, despite what an outside source (the software vendor, for example) says the mitigation should be, there may be second- and third-order considerations that only the asset owner is aware of. As such, the mitigation or its scheduling may need to be adjusted.
Many organizations find themselves with a lot of paper (or data) and little to show for it. However, these three tips can go a long way to ensuring risk management success at the point of execution.
To learn more about mitigating your organization’s cyber security risk, contact us at 571-481-9300 or send us a message.