Recommending Remediation Strategies

Overview

The final step in the process is take all of the prioritized vulnerabilities and gaps found by the company, and leverage the vulnerability research information and company context to establish a remediation strategy. The strategy is typically shared with stakeholders such as leadership or technical resources involved in fixing the gaps.

There are three main paths of action for remediation:

• Avoid the vulnerability: The gap can be avoided by fixing the issue, adding controls to mitigate potential impact, or eliminating the asset. If the recommended strategy is the fix the issue, a rescan should be conducted afterward to ensure that the issue has indeed been fixed and that other new vulnerabilities were not exposed in the process.
• Accept the vulnerability: The gap can be accepted by documenting the risk and gaining authorization from an accountable individual. For example, if the cost to fix an issue is greater than the potential vulnerability impact, you may consider accepting the issue.
• Transfer the vulnerability: The gap can be transferred to other entities via insurance or vendor support options.

Companies usually do not have the resources to address every finding right away. In the remediation strategy, a final recommendation should be selected, documented, and tracked for every vulnerability.