When prioritizing security controls, it’s important to consider both timing and impact.
Prioritize by time.
- Immediate Controls: Identify the security controls that must be implemented immediately to address the most pressing risks. This could include controls to address vulnerabilities being actively exploited or complying with legal or regulatory requirements.
- Short-Term Controls: Identify the security controls that can be implemented in the short term, typically within the next 6-12 months. This could include controls to address vulnerabilities that are likely to be exploited in the near future or to improve overall security posture.
- Long-Term Controls: Identify the security controls that can be implemented over the long term, typically within the next 1-3 years. This could include controls to address emerging threats or to improve the organization’s security maturity.
Prioritize by impact.
Now that you have identified the security controls that have the highest potential impact on your organization if they are not implemented, it’s time to prioritize those with a medium or low impact. This can be done by using an impact matrix, a table with columns representing each risk level (high, moderate, and low), and rows representing each of your risks. Then, for each cell in this table, you will enter an “X” if there is no applicable control for that risk or an “#” if there is one applicable control.
- Note: If a cell contains neither an X nor # symbol, then no security controls were assigned to it and should be reconsidered as part of future scoping efforts
Security priorities should be based on both timing and impact.
When prioritizing your security controls, it’s important to consider both time and impact.
For example, suppose you have an application that needs to launch in three months but has yet to have customers (i.e., low impact). In that case, it might be best to focus on improving the process of developing new features rather than spending time implementing encryption or monitoring tools. On the other hand, if an existing system has thousands of users and is experiencing serious performance issues (high impact), this is likely a good candidate for immediate remediation.
In addition to these two factors, other factors, such as legal requirements or regulatory constraints, affect how you prioritize specific controls over others.
When prioritizing security controls, timing and impact are both important factors. You can’t just focus on one or the other–they work together to help you make better decisions about how best to protect your organization. The sooner a vulnerability is discovered and remediated, the less likely attackers will exploit it. Likewise, a threat does cause damage before being mitigated by security controls. In that case, there’s an increased risk of data loss or business disruption from which recovery may take longer than expected due to lack of resources allocated towards information security programs.”
Leave a Reply