ENGAGEMENT
A major telecom engaged DayBlink Consulting to lead the management of its growing backlog of internal and external audit findings. In addition to requiring security vulnerability remediation, the implementation of secure code practice findings and other security deliverables, the audit findings often overlapped with existing efforts, but did not have the same level of rigor of tracking as internally identified items.
PROBLEM
The information security team at a major telecom was in the process of developing a mature vulnerability management program and secure development lifecycle program, leading to robust lists of prioritized remediation items for its security and business teams; however, internal and external audit teams scoped additional projects that resulted in hundreds of major audit findings requiring remediation. Finding and remediation plans were typically not well documented, leading to concern that many of these could not be addressed with existing projects and enhancements.
The information security team also desired a standardized and repeatable process for intake of cybersecurity audit findings to ensure that future efforts would be cataloged, prioritized and scoped as part of the full information security project lifecycle.
SOLUTION
Our team conducted an extensive exercise to collect, catalog and track down information related to the hundreds of findings across dozens of security audits. We systematically cataloged and mapped this information to: i) existing programs or projects, ii) a comprehensive audit findings database, iii) existing compliance and regulatory frameworks used by the security team, and iv) all of the associated audit remediation plans.
In parallel, our team led deep dive working sessions with representation from Audit, Product Security, Information Security and GRC to build an optimized model for review, approval and intake of future audit security findings. This revamped model included formalized approval of remediation plans by both the business and audit committee and ensured that all stakeholders agreed on the work necessary to reduce security risk to an acceptable level.
Leveraging a newly standardized model for intake allowed for development of new reporting and dashboarding that quickly highlighted audit finding status. The effort enabled notification of items that were nearing review by the Audit Committee, rather than the historical process of finding out about those after they had already turned red in audit finding status tracking.
RESULT
The initial cleanup effort led to the closeout of more than 75 audit findings due to existing project work that directly remediated or had implemented mitigating measures.
The newly developed audit finding intake and management framework was operationalized and put into practice for all upcoming internal audit engagements, especially those that were scoped specifically for the information security team. This included the ingest of all audit findings and associated remediation plans to the centralized security portfolio management database to ensure there was no redundancy with already existing work and to ensure that remediation work was appropriately planned for, resourced and operationalized.