POA&M

00:00

Jason, listen to 0.9. We're gonna talk about Plan of Action of Milestones of the poem. Kind of mentioned this before, but now is the last lesson we're getting to the last part of the life cycle of a weakness, vulnerability, security control, mapping it to actual risk.

00:17

For this lesson, you'll learn about the reason why we have poems. Seems kind of obvious, but we explain that interpret the components that different parts that we need for a poem, what makes sense and in critique, some poem entries

00:42

So far,

00:44

here's that the components of a plan of action, A milestone. So you first need to document the weakness. Obviously, we do say what it is. What we found

00:54

you do allocate resources is one of most things. Why we're doing this is why we're creating a plan. You have to name a person or resource, a role that is going to do something about this is gonna be in charge of fixing it. That's gonna be in charge of monitoring it so that you don't just put a weakness out there and

01:11

no idea who's gonna fix it, how it's going to be fixed, anything like that,

01:15

it's also important to identify the detection source. So where did we get it from With an automated tool with the interview,

01:23

so that later on, when you

01:26

if you do want to test it again, you can use that that same method

01:30

or also determine whether it whether how important it is based on you know how was detected.

01:36

Also gonna want to define the timeline for the action. We need to have a plan. It's called a plan. So you know, if a plan you need to have a timeline, when is this going to be fixed? And then also tracked the progress. So it's good to have in their dates for milestones as it was progressing because

01:53

this poem is supposed to be a living document where somebody can take it any time. Whoever needs to do with the ice so authorising official and say What are the risk when there's a system the risk posing to my organization and be able to look at and say like, Okay, I could see there's some work dunning on it, Or why isn't a work being done on it

02:14

when the next steps is putting mitigating controls in there so we're not just documenting risk. We're just trying to do something about it as well and say, You know, here's the plan. Here's what Here's how we are And here's some mitigating control So you could say this. This is the risk is reduced, or this residual risk is the residual risk is

02:34

based on this mitigating control that either reduces the amount

02:38

of impact to the system

02:39

or, you know, for myself some some other complementary security control.

02:46

And we also want to track the risk history of active and closed. I think this is important that

02:53

even if you close a poem item at times, I'd like to see them maintain in there. You can hide him somehow, but you track it because this is one of the fundamentals is, as you may have a risk, sometimes pop up a separate time, and there may be some

03:08

process that's breaking down that's causing this risk to fail. And if you're not tracking that, if it's failing at some point,

03:15

you know some point that that two people don't don't realize or one person is left, that

03:20

that is a risk to the system that that it can't be fixed or that keeps popping up.

03:27

So here's an example of ah, poem. The most poems have a lot more field in this, but this is good enough for president or just kind of give you an example of it and fill out not overwhelmed the screen with too much data.

03:42

So the 1st 1 was pulled from the ESCAP. Result that we saw before is C M 11.

03:49

Enhancement to this was about the weakness is non add. Mons are installing have installed permissions again. I'm putting a textile of a smaller so we can read it here and then This example John Doe is a POC. So it is a specific person who's in charge of this controls when

04:06

thesis so or anybody goes toe look att,

04:09

the risks that they will say, Oh, this is the person I know that that's working on it And this is the person I could talk to to get a status for it,

04:16

for the resource is that this control says I need the windows admin to dio admin and I may also need the active directory admin for this control

04:27

or to help fix this risk. Sorry.

04:29

And the completion date is sometime in the future, and this one has some milestones. Eso in the milestones You would normally have dates here, but for brevity here, just so it's easier to read. I just use some bullets.

04:43

So this is confirmed the active directory deficiency. So they're saying there should be some group policy needs to be pushed out, that that that can mitigate this control, that that gives non admits ability to install from herself off where

04:58

and then So this one says We've actually deployed it, the testing environment. So you get a good Sands, like said, You can look at this and say, Okay, I see what the risk is. I see who's in charge, and I see where it is. And then maybe if that dates not right, you can ask, You know, you need to update this,

05:13

but you can also see that is progressing. It's just not some stagnant risk that's sitting out there.

05:17

The tool for the source was that ESCAP tool. They found it again. Once it's deployed, or when we think we believe that the risk has been mitigated, we would then use that same tool like andr say that same source, then perform the test again

05:34

and validate that has been fixed. So we have things continuity that we're using the same method to test every time

05:41

and the status is ongoing. So it's still being worked on. Like I mentioned you may have closed once, but you could keep them in there. Just a UTI The risk that in the past

05:50

next example here is CP seven A, which is can contingency planning. So this weaknesses was there's no alternative site. So maybe the p ECE POC here is the ISIS, so it may not be a specific person, so you can use a role case that changes. Are there alternate things like that?

06:10

This one They wanted to facilities people because it's a building that has to be purchased things like that

06:15

and made this when they may need the C I s O cause they're gonna have to fight for this funding for this system, and the system owner may not have enough budget to actually go out and build a new site or procure some portion of it that that can meet this control.

06:29

You see, here, in the milestones that just said we've just had initial meeting to assess the risk. That's all that's been done so far. And then So you can look at this and see Well, it's not, Hasn't Not a lot has been done on this yet. The source here was an interview, so you could see a lot of times you don't even need

06:47

automated means. You could just talk to somebody and say