Why Risk Registers Are Critical Even relatively immature information security programs have a multitude of methods for identifying risks. Internal framework-based assessments provide findings based on implementation or compliance with controls. Automated scanning tools such as Nessus produce heaps of information regarding vulnerabilities present on specific hosts. Internal or third-party penetration testing teams produce reports detailing specific exploits that were successful in your environment. You may even get unsolicited inputs through responsible disclosure or through a bug bounty program. These are all extremely valuable methods for identifying risk in your environment. But unfortunately, many organizations lose visibility over time on the risks that are identified. The critical findings of the latest pen tests may get entered as tickets for an analyst to remediate. Those risks may even be the topic of conversation at weekly or monthly meetings. But what about all findings rates as a “medium” or “low” criticality? What about those findings that didn’t make the cut for assigning to an analyst for remediation today? Why You Need Risk Registers While we should always prioritize our efforts, managing your information security like a game of whack-a-mole inevitably results in 1) inefficiencies in your efforts, and 2) dropping the ball on those things that aren’t currently “most important.” Consider the case of BlueKeep (CVE-2019-0708), the flaw present in the Windows 7 (and earlier) implementation of Remote Desktop Protocol (RDP). When the vulnerability was first discovered and patched, only difficult proof-of-concept exploits existed. An organization may have ranked the risk of this vulnerability as “medium” due to the low likelihood of exploit. Patching critical servers may have been delayed…and the risk may have been forgotten. But today there is a Metasploit module for this vulnerability, which enables exploit by “script kiddies,” dramatically increasing the likelihood and thus the risk. Without a process in place to maintain visibility on un-remediated risk, an organization is failing to perform due care and due diligence in the management of its information security program. Risk management is not unique to information security, and other business functions have long recognized the need for an organized method for consolidating and tracking the risks in their environment. A risk management best practice is to create and maintain Risk Registers for each business function, and then consolidate these registers into an organizational Risk Register. What are Risk Registers? There is nothing cosmic about the concept of a Risk Register – it is simply a single repository where all risks are entered and tracked. We started this article discussing all the various methods by which information security risk may be identified: assessments, pen tests, automated scanning tools, bug bounties, etc. An information security risk register consolidates the findings from all these methods to provide centralized and persistent visibility. Any risk that is placed on the risk register must be addressed. Risks may be remediated so that the vulnerability is no longer present. They may be mitigated by applying additional controls. Risks may be transferred through outsourcing. And in some cases, risks may be deliberately accepted. But they should never, ever be ignored. The decision to accept a risk without any mitigating actions must be done deliberately and the rationale for the risk acceptance should be fully documented to demonstrate due care and due diligence in your risk management. Tools to Create Your Risk Register You can use a spreadsheet tool like Microsoft Excel to create and maintain your risk register. However, there are significant drawbacks to this method. Data must be manually transferred (read: copy-and-pasting) from the source documents. Furthermore, any changes to the status of the risk must be manually updated in the risk register. For example, the absence of a critical patch is entered into the risk register because implementation must be delayed until new servers are provisioned. Once the patch is implemented, someone must then manually close that risk in the register. Managing your register in this fashion introduces the possibility of errors of omission or commission. Additionally, the workload involved creates a disincentive to use the risk register. Put bluntly, the harder it is to use a tool, the less likely people are to use that tool. A much better option is to centralize the creation and tracking of risk remediation into a tool that can also act as your risk register. An ideal tool will organically enable generation of new findings from tests and assessments, import scans from tools like Nessus, and manage or integrate with your workflow to provide embedded tracking of risk remediation. With near-real-time updates (and no copying and pasting!) from those performing the work of “fixing things,” such a tool can also provide the most up-to-date risk register possible. How PlexTrac Can Handle Your Risk Registers PlexTrac performs all these functions today, providing seamless collaboration between those that identify and remediate risks with those responsible for risk management. Findings from all your tests, assessments, scans and other risk identification tools are available in a single location – no spreadsheets required. As risks are remediated, the status of those risks are updated in real time. And no risk is left in the “dust bin of history;” items remain open and upfront until you remediate or accept the risk. Because the original findings and artifacts for each risk exist in the same platform, there is no need to sift through old reports to gain amplifying information when you need to “dig deeper.” Everything concerning each risk is no more than a few clicks away. With advanced analytics capabilities, PlexTrac also allows you to drill down by business unit, age and severity. And now with the introduction of tagging for each risk, there are truly no limits to how you analyze your data. Gain insights on the trends that are most important to you and your environment. Rapidly search for vulnerabilities related to new threat intelligence. Provide the visibility that your senior leaders need to make informed resource decisions. Interested in learning how PlexTrac can be the “easy button” for implementing a robust Information Security Risk Register? Reach out to schedule a demo today here: https://plextrac.com/demo/
Vulnerability Assessment vs Penetration Testing: Understanding the Key Differences Vulnerability Assessment vs Penetration Testing READ ARTICLE
Unlocking Continuous Threat Exposure Management: New Features for Prioritizing Remediation Based on Business Impact The evolution of product security READ ARTICLE