Overview
IT Security is an important component of every organization. However, with any major investment, security implementations must be based on a thorough planning and prioritization process. The planning and prioritization processes help to ensure funding is appropriately allocated to meet the long-term and short-term goals of the organization. In this post, we will explore a framework for utilizing strategic prioritization schemes to manage and prioritize security weaknesses. Strategic prioritization is a component of strategic management that focuses on developing a consensus from across the organization by ranking competing projects to achieve efficiency in the allocation of resources used for meeting the organization's strategic goals.
Like any major IT investment, security must successfully compete with other investment initiatives to ensure it become a driver, rather than an obstacle for business. The prioritization process the organization uses should seek to rank and order identified weaknesses and vulnerabilities as a result of assessments (either internal or external) of the organization against related impacts such as security posture, compliance gaps in policy, security requirements, and other associated risk identification practices. Once the organization has adequately identified the weaknesses and vulnerabilities, corrective actions need to be developed and prioritized to reduce or eliminate the risk. The corrective actions should be part of the overall Corrective Action Plan that provides managers with a tool to track deficiencies and plan resources.
Prioritization Framework
Prior to addressing corrective actions, the first step in establishing a Corrective Action Plan is to identify a baseline set of criteria that can be used in selecting the most important corrective actions first through a prioritization process. The prioritization process ensures the most effective use of resources in the remediation process. Prioritization criteria can include many different perspectives, all of which help the organizational staff in adequately achieving a cost-centric and security conscious plan that appropriately categorizes individual corrective actions and associated inter-related milestones.
Priority is a sequencing based on a preferential rating, whereas criteria is a standard for making decisions. Therefore, prioritization criteria includes a standard set of factors that should be considered as the preferable mechanisms for developing a rating scheme designed to achieve the most desirable ordering for completing corrective actions. Prioritization factors, both qualitative and quantitative should be considered to derive the standard used by the organization.
The approach used by the organization in the selection of prioritization factors may change and evolve as the organization's experience matures, and the skills and knowledge of the staff in managing complex criteria increases. The size of the organization and availability of funding may also affect for how the organization selects criteria used by the organization in ranking the importance of the corrective actions.
Lastly, “viewpoints” are one factor which should be considered as part of the organizational approach. Viewpoints can vary depending on the perspective of the staff and their experience/background. Whereas, senior management may have a more broad viewpoint that looks to the “strategic view” to make decisions, IT security professionals may have a more narrowly scoped “tactical view” that looks more closely at the mission of the organization against a specified set of associated risks. Obviously, neither viewpoint is preferable, but rather a hybrid should be used. Since viewpoints are a critical starting point for any prioritization process, the individual factors should be agreed upon by the organization, so that a consistent understanding exists to ensure significant changes to both the organization’s business and supporting IT systems are regarded.
Taking the various factors into consideration, we can now further expand our discussion to examine a exemplary model for assigning and ranking criteria, and for categorizing criteria. As previously discussed, the complexity of the prioritization criteria is based heavily on the experience of the organization and its staff. The more complex the criterion does not always mean that the prioritization will be more effective, but does allow more factors to be included. The number of factors in the criteria is an organizational preference; however, this section will present some exemplary factors to use as the basis for input into the prioritization scheme.
Below are potential criteria factors with associated weights. The ordering does not necessarily mean that all corrective actions will receive the same priority (unless the priority rating were the same for all factors), but instead are used to calibrate the values that will be assigned to each criteria factor in the priority matrix.
- System Categorization (1) – adverse impact on the organizational operations/assets (broad view)
- Impact level (2) – impact to the security protection of the mission (narrow view)
- Security Initiatives (3) – alignment with ongoing security initiatives
- Cost/Resource Availability (4) – criticality of resource needs against other organizational priorities
- Time (4) – balance of schedule flexibility with criticality of fixing the weakness to reduce residual risk
- Complexity (4) – size and scope of requirements in correcting the deficiency
Once the criteria factors have been selected and organized, appropriate weights need to be attached to each criterion to accurately reflect the prioritization scheme (i.e., priority and risk) chosen to rank the corrective actions. A recommended approach is to balance risk with each priority, thus enabling competing qualitative factors weighted in the organizational priority scheme to be balanced by the appropriate level of risk.
For example, if the organization assigned value based on the ordering above, the prioritization matrix could look as follows:
System Categorization (High Priority, Moderate Priority, Low Priority)
Impact Level (High Priority, Moderate Priority, Low Priority)
Security Initiative (High Priority, Moderate Priority, Low Priority)
Cost/Resource Availability (High Priority, Moderate Priority, Low Priority)
Time (High Priority, Moderate Priority, Low Priority)
Complexity (High Priority, Moderate Priority, Low Priority)
Based on the above prioritization matrix, the organization would then assign a priority to each individual corrective action based on each criteria factor. This would then be used by the organization to generate a raw score for prioritizing each corrective action.
As an example, a specific corrective action with a risk level of LOW could be assigned the following priority values:
System Categorization: Low
Impact Level: Moderate
Security Initiative: Low
Cost/Resource Availability: High
Time: Moderat
Complexity: High
Depending on the values assigned to each individual criteria factor in the prioritization matrix, a resulting value will be presented the organization with an appropriate ranking, used by the organization to determine which corrective action should be responded to first, and which of the individual corrective action will be included in the Corrective Action Plan.
