While issues management often begins in silos like InfoSec, internal audit, and SOX, a mature issues identification and reporting structure follows a risk-based approach by connecting issues back to the organization’s risks. To accomplish this, it is necessary to establish common and shared elements of issues management across departments.
AuditBoard’s new ebook, The InfoSec Survival Guide: Achieving Continuous Compliance, examines what a risk-based issues management program looks like and details steps for creating one. Download the full guide here, and read below for tips on adopting a risk-first approach to your issues management program.
Tip 1: Standardize Your Issues Methodology
Departments that track issues should first establish a common, organization-wide issues management methodology. This involves standardizing issues nomenclature as well as how issues are rated and prioritized by risk. This is crucial for ensuring a common baseline for identifying and ranking issues across the various departments that capture and track issues in your organization. This process can go hand-in-hand with consolidating your issues data in a central system of record.
Tip 2: Consolidate Your Issues in a Central System of Record
A centralized technology solution is essential to keep your issues data organized and readily available to query for analytics and reporting. Without a proper structural database to support your issues and link different data points to each other, analytics and automation are not possible. An added benefit of inputting your data into an issues tracking platform is that it can double as an opportunity for your organization to perform step 1.
An ideal issues management solution should:
- Enforce the issues management methodology.
- Have a validation workflow that facilitates the methodology.
- Have agile reporting capabilities.
Tip 3: Leverage Issue Dashboards for Reporting
One of the greatest benefits of selecting an integrated technology solution is that it can synthesize the various data points involved in issues management into real-time dashboards. Ideally, you want a flexible issues dashboard that can be tailored to convey different metrics, depending on your audience. The following are metrics that are a good idea to have on your dashboards for day-to-day compliance teams and executive-level reporting.
Metrics to Track for Day-to-Day Team Reporting
- Number of open issues
- Number of open high-risk issues
- Number of controls or assets without owners
- Action plan progress
- Mitigation plans due in X days from today
- Number of action plans past due
- Number of action plan extension requests
- New gaps and exceptions
- Overall issues remediation status
- Number of past due issues
- Issue due dates, owners, and reviewers
Metrics to Track for Executive-Level Reporting
Metrics for executive-level reporting should always be catered to what management is looking for, but here are some general examples of good metrics.
- Number of new high-risk InfoSec findings
- Number of overdue high-risk findings
- Number of approved high-risk exceptions with expired target dates
- Issues that are repeatedly identified (provides value for poorly managed processes, technologies, or teams)
The issues management arm of your compliance program is an important component of your infosec compliance program. Its maturity and strength will depend on the planning that went into your assessments, design of control testing procedures and your controls library, and choices regarding automation and technology. To learn more, download the full ebook, The InfoSec Survival Guide: Achieving Continuous Compliance.
John Volles, CISA, is a Director of Information Security Compliance responsible for managing AuditBoard’s compliance, risk, and privacy obligations as well as helping customers understand AuditBoard’s security posture and position. John joined AuditBoard from EY, where he reviewed and implemented client compliance programs and supporting technologies. Connect with John on LinkedIn.