Security Audits – How to Prioritize Audit Findings
Technical audits or vulnerability scans will reveal a lot of findings. They can be overwhelmed and forcing the reviewer to freeze, not knowing where to start. To overcome this issue, we should prioritize the findings and determine the consequences of each finding for our company.
While an open directory listing on a web server might in one situation not be preferred, it would make sense for others. It is the context which makes a finding “serious” or completely harmless.
Focus areas
By looking at several aspects, we can simplify and prioritize audit findings. Three common focus areas are Importance (or impact), Urgency and Effort. Depending on the time of audit, these three areas may have the same weight. In most situations however, there is a clear preference for one or more focus areas. When delivering a project, deadlines may be more important, resulting in a higher weight for urgency and also for effort. The latter may give preference to another activity, because it can be a “quick win” for example.
Importance or Impact
Some activities will have a great benefit to the business, like the trust it provides to customers, cost savings, or the convenience of the work for employees. By determining the benefits of dealing with a particular finding, can put all activities in perspective. This makes it easier to compare them and prioritize them. Usually this focus area is the most beneficial to a company.
Note: In a normal situation, give this area the highest weight.
Urgency
While some activities might have a high impact, the timing might be less optimal. For example when another activity needs to be completed first, or simply because there is no pressure to change. People tend to change things only if there is a sense of urgency, which is also true when one has to prioritize audit findings.
Urgency is usually second when rating the weight of each of the focus areas. The higher the urgency, the more pressure there is externally and internally to get a particular item solved.
Effort
Regarding quick wins, it is the effort rating which determines how well suited it is. For most activities however, it quickly becomes clear there is more work involved. By properly determining what amount of effort is needed (in man hours, time), the quick wins will raise to the top. If something is important, there is a sense of urgency and it can be quickly performed, this activity should be done first.
Usually effort is rated lower than impact and urgency, as effort and benefit usually a synchronous. Something that can be done quickly, has usually not much impact for the business. Some real big changes which provide new options for the business, will take longer. Consider also getting people aboard on the idea, or why a specific finding is really that important. Convincing others is also a measure of effort.
Rating
To get a prioritized list, give each finding a score (e.g. 1-5). Then apply the weight to each item and count the scores. Since low effort is good, we should turn around the score rating for this one (score = 6-value). If someone fills in a 5 (which means a lot of effort), it will result in a score of 1. Optionally is to name the item differently, however be careful not to use negative connotations.
The scoring can be done easily with a spreadsheet program. Some solutions have their own way of calculation these factors, to save you the time to do it manually.