Grab your SMART goals. Vacuum up all the checklists within a 500-mile radius. Get out your magic horn and reassemble the project team. Because it’s time to Plan Like You Mean It. (Pretend you’re in one of those elaborate heist movies. It’ll be great.)
Yes, last time we took a dive into cybersecurity risk management – specifically how to conduct a cybersecurity risk assessment. You’ve ended up with a terrifying-yet-prioritized list of cybersecurity gaps to close, and vulnerabilities to fix. So here’s where you put together your awesome Plan of Action (feat. checklists), a.k.a, your Gap Remediation Plan.
Wait, I Didn’t Read That One Yet. What’s The Skinny?
Here’s the TL/DR of conducting a cybersecurity risk assessment. As usual, it’s a three-step process:
- Identify. Here’s where you identify your IT assets, their vulnerabilities, and the nature of the cyber threats likely to attack them.
- Analyze. Here’s where you assess the risk of each threat. How likely is it to happen? What’s the impact if it actually happens? You assign a level of risk to each of them. You might assign a number, or a colorful red/amber/green assignment to each. Go wild.
- Prioritize. Here’s where you create a list of risks in order of scariness. You’re prioritizing which to fix first.
Once you’ve got that down, it’s time to plan the actions that will reduce those big scaries to tiny, baby scaries, or even ex-scaries, i.e., mitigate or disappear the dang risks. The plan you end up with is what’s called your gap remediation plan.
But First, Strategy.
Before your wee noggin can even think about putting a gap remediation plan into action, it’ll need to think about strategy, and not just any old strategy, but cybersecurity strategy. Your gap remediation plan fits neatly into this strategy.
We all know that a robust, progressive strategy makes everything better, and your cybersecurity strategy details the guidance and safeguards to make sure you go about fixing those gaps in a best-practices way that’s aligned to your business objectives.
Cybersecurity Strategy: A Recipe
When you want to cook up a cybersecurity strategy, make sure you use all these ingredients:
| Strategy Ingredients | What It Means | What It Does For Your Lovely Gap Remediation Plan |
| Objectives & Priorities | What you want out of cybersecurity: e.g., risk reduction, compliance, better security awareness, effective incident response, and more. | Risk reduction is the key objective that relates to your gap remediation plan and helps you define what success actually looks like. |
| People & Roles | Who’s involved in and responsible for cybersecurity:Who’s in chargeWho’s taking actionWhat’s expected of all staff3rd party supportStakeholders, e.g., customers, shareholders, regulatory bodies | Helps you identify people and assign roles, like who will:
|
| Communication | Agreed methods of communication | Helps you identify and agree on communication channels and protocols for the remediation project. |
| Budget & Resources | Allocates $ and other resources (people, tech, time) to support your cybersecurity objectives | Helps you cost and allocate budget and resources to priority gap remediation activities. |
| Monitoring & Feedback | Defines and standardizes what should be monitored, and how. Also defines reporting protocols and the process for continuous improvement. | Helps you create testing and monitoring protocols for each gap, as well as sign-off parameters for when that gap is considered non-gappy. |
Remediate Those Gaps: Time For Action
You’re big and strong enough now to understand action planning and SMART goals. We all are. Throw in your boss’ favorite project framework – Gantt, CPM, Kanban, scrum, yadda yadda whatever – for organizing, scheduling, and coordinating tasks to get those gaps remediated. So let’s get down and dirty with some full-contact gap remediation action – metaphorically. (Nobody needs to people that hard.)
The action you take will depend on your particular circumstances, obvs, but howzabouts we have some fun by focusing on one important aspect of your IT ecosystem as an example: your IT asset lifecycle. We’ve been around the block long enough to fixate unhealthily on this aspect of IT, basically because there are often gaps so large you could drive an Airbus through ‘em.
Let’s take a look.
Gap Remediation Plan: NEW! Asset Lifecycle Flavor
What you tackle first depends on your priority risks, but we’ll start at the very beginning of the lifecycle.
Now it’s time for checklists, because it’s always time for checklists. Let’s remediate some of those pesky gaps for each stage of the IT asset lifecycle because we’re here now so we might as well. Let’s go!
1. Device Procurement
| Common Gaps/Risks | Gap-Closing Checklist |
| Insecure supply chain: how good is your vendors’ security? | Decide assessment criteria for each supplier. Got an IT procurement strategy? Maybe you’ll find them there. Check suppliers against criteria, or on info like their security policies, certificates, and assurances. |
| Standard vendor passwords: Yep, everyone who bought that software has the same password. | Create a password protocol that includes using only complex passwords, and checking for/changing default passwords. |
| Having zero central control | Bring your fleet into centralized control by enrolling them in mobile device management. This’ll give you the IT asset inventory that you’ve always dreamed of. |
2. User Onboarding & Provisioning
| Common Gaps/Risks | Gap-Closing Checklist |
| Open access to new and/or existing devices and data |
|
| Personal devices used for business |
|
| Misconfigured devices: you can’t rely on vendor security protocols |
|
3. Device Monitoring & Security. Also, People.
| Common Gaps/Risks | Gap-Closing Checklist |
| Ancient OS and non-updated software make a hacker’s job easier |
|
| Data unguarded while stored or transmitted |
|
| User misbehavior, e.g., jailbreaking devices, using unauthorized apps and websites |
|
| User ignorance, e.g., falling for social engineering and phishing attempts |
|
4. User Offboarding
| Common Gaps/Risks | Gap-Closing Checklist |
| Insider threats by annoyed ex-employees e.g., Bonnie |
|
5. Device Warehousing, Reassignment or Disposal
| Common Gaps/Risks | Gap-Closing Checklist |
| Device mislaid or lost after offboarding: no system for secure collection and storage | Deploy device warehousing system |
| Devices contain inappropriate data/old OS reassigned | Deploy device maintenance policy: clean/wipe/repair/update of devices. |
| Obsolete device reassigned: OS may be un-updateable. | Decide “When is an old device too old?” policy and stick to it. |
Cybersecurity Risk Management Does Get Easier
The more your brain dabbles in cybersecurity risk management, the easier it gets. That’s because, if you take a systematic approach, you’re sorted. You’ve identified, assessed, and prioritized risks, then taken action to reduce them. It may feel as bad as juggling sea cucumbers while trained raccoons nip at your ankles, but it’s much less messy. Especially if you ask for a little help from experts A.K.A us. Call us for a friendly, totally-no-obligation-and-we-mean-it chat. We’re waiting and not even joking. (And we don’t nip.)
Ignition is Silicon Valley’s best (and friendliest) IT security, compliance, and support team. Contact us now – chatting about IT support and cybersecurity is our favorite thing to do!