WHAT IS AN INFORMATION SECURITY REMEDIATION PLAN?
An information security remediation plan is the approach for fixing security related issues in your organization. An effective security remediation plan is critical for any business with large quantities of security vulnerabilities needing to be fixed. A remediation plan is essentially a list of items or issues to fix in an environment. An organization can have one large security remediation plan or have multiple smaller ones.
Other common names for a remediation plan used interchangeably in the security domain include:
SECURITY PLAN: The term “security plan” often finds its roots from the National Institute of Standards and Technology (NIST) information security frameworks. These frameworks are used by most government agencies, as well now by many private organizations. The distinction between a security plan in this context and a security remediation plan is that the term “security plan” often means the entire security effort for an organization, not simply an approach to fix a defined group of security issues.
SECURITY PROGRAM: A security program has similar meaning to a security plan in the security discipline. Again, it is the entire effort at an organization for addressing information security, not just a focus on a specific plan for addressing a defined group of security issues.
SECURITY PROJECT PORTFOLIO: In most organizations, a security project portfolio is the grouping of security initiatives in a project management context. Generally, if an organization has a project management office, you will hear the term security project portfolio by those folks.
SECURITY ROADMAP: Consultants love to call remediation plans roadmaps. They often still mean remediation plan.
RISK REGISTER: A risk register is used a great deal in organizations that must comply with HIPAA regulations, or by organizations that must protect personally identifiable health information. It can also be found in organizations that have a more formal security risk management program. A risk register is the central management of risk issues in an organization, as well as their alignment to the corrective actions to reduce, transfer, or mitigate these risks. Essentially, a risk register is a remediation plan that formally ties corrective action to the risk issue it is designed to fix.
COMMON PLACES YOU FIND SECURITY REMEDIATION PLANS
* In a spreadsheet during the budget process at an organization.
* Associated with an enterprise security assessment that has been performed
* Associated with a specific project at an organization
* As a condition of letting a third party manage, transmit, store and/or access information on behalf of your organization.
* As a condition before letting your organization manage, transmit, store and/or access information on behalf of a customer or business partner.
* To achieve a security certification such as ISO 27001.
* As a result of Payment Card Industry (PCI) gap assessments. These assessments are the first step for a merchant seeking to become PCI DSS-compliant.