Findings

Overview

The Findings component is a critical element of the Audit Center module, designed to help organizations document, track, and address issues identified during security audits and assessments. This component provides a structured approach to managing findings, from initial documentation through resolution and verification.

Effective findings management is essential for improving your security posture, demonstrating due diligence, and ensuring that identified issues are properly addressed. The Findings component integrates with other elements of the Audit Center and the broader Risk & Compliance Suite to provide a comprehensive framework for security improvement and compliance.

Key Features

Finding Documentation

• Structured Recording - Document findings in a consistent, detailed format

• Finding Categories - Classify findings by type, severity, and affected area

• Evidence Attachment - Link supporting documentation to findings

• Finding Templates - Use standardized formats for common issue types

• Bulk Import - Add multiple findings from external sources

Finding Assessment

• Severity Rating - Evaluate the impact and urgency of each finding

• Risk Association - Link findings to related security risks

• Control Mapping - Connect findings to specific control deficiencies

• Root Cause Analysis - Identify underlying causes of identified issues

• Impact Assessment - Document the potential effects of each finding

Finding Assignment and Tracking

• Owner Designation - Assign responsibility for addressing findings

• Status Monitoring - Track the current state of each finding

• Due Date Management - Set and monitor deadlines for resolution

• Progress Updates - Record actions taken to address findings

• Verification Process - Confirm that findings have been properly resolved

Finding Reporting

• Finding Summaries - Generate overviews of identified issues

• Status Reports - Track resolution progress across all findings

• Trend Analysis - Identify patterns in finding types and sources

• Compliance Reporting - Document finding resolution for regulatory purposes

• Executive Dashboards - Provide high-level insights for leadership

Getting Started

Accessing the Findings Component

1. Log in to your AskInfosec account

2. Navigate to the main dashboard

3. Select "Audit Center" from the main navigation menu

4. Click on "Findings" in the submenu

5. You will be directed to the Findings Management dashboard

Findings Management Dashboard

The Findings Management dashboard provides an overview of your organization's audit findings, including:

• Finding Summary - Total findings by status and severity

• Recent Findings - Latest issues identified during audits

• Overdue Findings - Issues past their resolution deadline

• Finding Trends - Patterns in finding types and sources

• Top Finding Categories - Most common types of issues identified

Managing Findings

Creating a New Finding

To document an issue identified during an audit:

1. From the Findings Management dashboard, click the "New Finding" button

2. Enter basic finding information:

   • Finding Name

   • Description

   • Severity (High, Medium, Low)

   • Category

   • Audit Reference

   • Assigned To

3. Add detailed information:

   • Observation details

   • Potential impact

   • Affected systems or processes

   • Relevant standards or requirements

4. Click "Create" to add the finding

5. You will be directed to the finding details page for further documentation

Finding Details

The finding details page contains comprehensive information about a specific issue:

1. Basic Information - Name, description, severity, and category

2. Assignment - Individuals responsible for addressing the finding

3. Status - Current state of the finding resolution process

4. Related Items - Associated controls, policies, and corrective actions

5. Attachments - Supporting documentation and evidence

6. Comments - Discussion and updates related to the finding

Creating a Finding from an Audit

To document an issue identified during a specific audit:

1. Navigate to the audit details page

2. Click "New Finding"

3. Enter the finding details as described above

4. The finding will be automatically linked to the audit

5. Save the finding

Importing Findings

To import multiple findings from an external source:

1. From the Findings Management dashboard, click "Import Findings"

2. Select the import format (CSV, Excel)

3. Upload the file containing finding information

4. Map the file columns to the required finding fields

5. Review the imported findings

6. Confirm the import to add the findings to the system

Finding Assessment

To evaluate the significance of a finding:

1. Navigate to the finding details page

2. In the Assessment section, document:

   • Severity justification

   • Potential impact on the organization

   • Likelihood of exploitation

   • Compliance implications

3. Link the finding to related risks if applicable

4. Save the assessment information

Finding Assignment

To designate responsibility for addressing a finding:

1. Navigate to the finding details page

2. In the Assignment section, select:

   • Primary owner (responsible for overall resolution)

   • Additional stakeholders (contributing to resolution)

   • Approver (verifies resolution)

3. Set a target resolution date

4. Save the assignment information

5. The system will notify assigned individuals

Finding Status Management

Findings typically follow this lifecycle:

1. Open - Initially documented, not yet addressed

2. In Progress - Resolution activities have begun

3. Pending Review - Resolution completed, awaiting verification

4. Closed - Verified as resolved

5. Accepted Risk - Issue acknowledged but not fully resolved

To update a finding's status:

1. Navigate to the finding details page

2. Click "Update Status"

3. Select the new status

4. Provide comments explaining the status change

5. Upload supporting documentation if applicable

6. Save the status update

Finding Resolution

Creating Corrective Actions

To define specific steps for addressing a finding:

1. Navigate to the finding details page

2. Click "New Corrective Action"

3. Enter corrective action details:

   • Action Name

   • Description

   • Root Cause

   • Assigned To

   • Due Date

   • Priority

4. Save the corrective action

5. The action will appear in the Corrective Actions tab of the finding

Tracking Resolution Progress

To monitor finding resolution:

1. Navigate to the finding details page

2. Review the Corrective Actions tab

3. Check the status of each corrective action

4. Add progress updates in the Comments section

5. Upload evidence of completed actions

6. Update the overall finding status as appropriate

Verifying Resolution

To confirm that a finding has been properly addressed:

1. Navigate to the finding details page

2. Review the implemented corrective actions

3. Examine evidence of resolution

4. Conduct testing to verify effectiveness if necessary

5. Document the verification process

6. Update the finding status to "Closed" if resolved

7. If not fully resolved, provide feedback and return to "In Progress"

Managing Accepted Risks

In some cases, organizations may choose to accept a finding rather than fully resolve it:

1. Navigate to the finding details page

2. Click "Accept Risk"

3. Document the risk acceptance rationale:

   • Business justification

   • Compensating controls

   • Acceptance timeframe

   • Approval authority

4. Obtain necessary approvals

5. Update the finding status to "Accepted Risk"

6. Schedule periodic reviews of accepted risks

Finding Evidence Management

Adding Evidence to Findings

To document finding details and resolution:

1. Navigate to the finding details page

2. Select the "Attachments" tab

3. Click "Add Attachment"

4. Choose the attachment type:

   • Document upload

   • Screenshot

   • Link to existing document

   • External reference

5. Provide a description explaining the attachment's relevance

6. Upload or link the attachment

7. Save the attachment record

Managing Attachments

To organize and maintain finding documentation:

1. Navigate to the finding details page

2. Select the "Attachments" tab

3. View all attachments associated with the finding

4. Filter attachments by type or date

5. Update or replace outdated attachments

6. Remove irrelevant or obsolete attachments

Finding Integration

Linking Findings to Controls

To connect findings with security controls:

1. Navigate to the finding details page

2. Select the "Controls" tab

3. Click "Link Controls"

4. Search for and select relevant controls

5. Define the relationship (e.g., control gap, ineffective control)

6. Save the associations

Connecting Findings to Policies

To associate findings with security policies:

1. Navigate to the finding details page

2. Select the "Policies" tab

3. Click "Link Policies"

4. Search for and select relevant policies

5. Save the associations

Relating Findings to Risks

To connect findings with identified risks:

1. Navigate to the finding details page

2. Select the "Risks" tab

3. Click "Link Risks"

4. Search for and select relevant risks

5. Define the relationship (e.g., confirms risk, new risk)

6. Save the associations

Linking Findings to Audits

To associate findings with specific audits:

1. Navigate to the finding details page

2. Select the "Audits" tab

3. Click "Link Audits"

4. Search for and select relevant audits

5. Save the associations

Finding Reporting

Standard Reports

The system provides several standard finding reports:

1. Finding Register - Complete inventory of all findings

2. Finding Status Report - Overview of finding resolution progress

3. Overdue Findings - Findings past their target resolution date

4. Finding by Category - Findings grouped by type or affected area

5. Finding Trends - Patterns in finding identification and resolution

Custom Reports

To create a custom finding report:

1. Navigate to the Reports section

2. Click "Create Custom Report"

3. Select report type (Findings)

4. Choose filtering and grouping options

5. Select display columns and sorting

6. Generate the report

7. Export to PDF, Excel, or CSV format

Best Practices

Finding Documentation

• Be specific - Clearly describe the issue and its context

• Provide evidence - Include screenshots, logs, or other documentation

• Use objective language - Focus on facts rather than opinions

• Include impact - Explain the potential consequences of the issue

• Reference standards - Link to relevant requirements or best practices

Finding Assessment

• Use consistent criteria - Apply the same standards across all findings

• Consider multiple factors - Evaluate impact, likelihood, and scope

• Involve experts - Consult subject matter experts for technical findings

• Document rationale - Explain the basis for severity ratings

• Reassess as needed - Update assessments if new information emerges

Finding Assignment

• Choose appropriate owners - Assign to individuals with relevant expertise

• Set realistic deadlines - Allow adequate time for resolution

• Clarify expectations - Ensure owners understand what's required

• Establish accountability - Follow up on assigned findings

• Support resolution - Provide resources needed to address findings

Finding Resolution

• Address root causes - Focus on underlying issues, not just symptoms

• Implement sustainable solutions - Avoid temporary fixes

• Document actions taken - Record all steps in the resolution process

• Verify effectiveness - Confirm that solutions actually work

• Learn from findings - Use issues to improve processes and controls

Troubleshooting

Common Issues

• Incomplete findings - Ensure all required information is provided

• Unclear descriptions - Clarify vague or ambiguous finding details

• Inappropriate severity - Adjust ratings that don't match actual impact

• Stalled resolution - Follow up on findings with no recent progress

• Inadequate verification - Ensure thorough testing of implemented solutions

Getting Support

If you encounter issues with the Findings component:

1. Check the in-app help documentation

2. Contact your organization's system administrator

3. Submit a support ticket through the AskInfosec support portal

Conclusion

Effective findings management is essential for improving your security posture, demonstrating due diligence, and ensuring that identified issues are properly addressed. The Findings component provides the tools and structure needed to document, track, and resolve security findings in a consistent, comprehensive manner.

By following the processes outlined in this guide, you can establish a robust findings management program that helps your organization address security gaps, implement improvements, and demonstrate your commitment to security and compliance.