Index
Overview
The Findings Management component is a critical part of the Audit Center module within the Risk & Compliance Suite. It provides a centralized system for documenting, tracking, analyzing, and managing findings identified during security audits, risk assessments, penetration tests, or other review activities. Effective findings management is key to understanding an organization's security posture and driving remediation efforts.
This guide explains how to use the Findings Management component to ensure that all identified issues are properly recorded, assessed, and addressed.
Key Features
Finding Documentation
Detailed Descriptions - Record comprehensive details about each finding, including what was observed, where it was found, and the criteria it violates.
Evidence Attachment - Link screenshots, log files, configuration snippets, or other evidence directly to the finding.
Source Identification - Track the origin of the finding (e.g., specific audit, risk assessment, vulnerability scan).
Affected Assets/Processes - Identify the systems, applications, data, or business processes impacted by the finding.
Finding Classification and Prioritization
Severity Levels - Assign severity (e.g., Critical, High, Medium, Low, Informational) based on potential impact and likelihood.
Finding Types/Categories - Classify findings by type (e.g., configuration flaw, access control issue, policy gap, vulnerability).
Risk Scoring - Integrate with risk assessment methodologies to assign a risk score to each finding.
Prioritization - Rank findings to focus remediation efforts on the most critical issues.
Workflow and Assignment
Status Tracking - Monitor the lifecycle of a finding (e.g., Open, In Progress, Awaiting Review, Remediated, Closed, Risk Accepted).
Ownership Assignment - Assign responsibility for addressing the finding to specific individuals or teams.
Due Dates - Set target dates for remediation.
Collaboration - Allow comments and discussions related to the finding.
Remediation Tracking
Link to Corrective Actions - Create or link findings to specific corrective action plans in the Corrective Actions component.
Remediation Plan Details - Document the proposed solution or steps to address the finding.
Verification of Remediation - Track the process of confirming that the finding has been effectively resolved.
Reporting and Analytics
Findings Dashboard - View an overview of findings by status, severity, owner, etc.
Trend Analysis - Identify patterns in findings over time or across different audits/assessments.
Compliance Reporting - Generate reports showing findings related to specific compliance requirements or controls.
Export Capabilities - Export finding data for further analysis or reporting in other tools.
Getting Started
To begin using the Findings Management component:
Access Findings Management: Navigate to the Audit Center, then select the Findings component. Findings can also be created directly from an audit engagement record.
Create a New Finding: When an issue is identified:
Click "New Finding".
Provide a clear, concise title and a detailed description.
Specify the source (e.g., audit name, assessment ID).
Identify affected assets or processes.
Attach any relevant evidence.
Classify and Prioritize: Assign a severity level and categorize the finding. If applicable, perform a risk assessment.
Assign Ownership and Due Date: Assign the finding to the person or team responsible for its remediation and set a target completion date.
Develop a Remediation Plan: Outline the steps that will be taken to address the finding. This often involves creating a linked Corrective Action plan.
Track Progress: Monitor the status of the finding as it moves through the remediation workflow.
Verify Remediation: Once remediation is reported as complete, an independent party (e.g., auditor, security team) should verify that the fix is effective.
Close the Finding: If remediation is successful, change the status to "Closed" or "Remediated". If the risk is accepted, document the acceptance rationale and change status accordingly.
Best Practices
Be Clear and Concise: Findings should be easy to understand for both technical and non-technical audiences.
Provide Actionable Information: Ensure findings include enough detail for effective remediation.
Standardize Terminology: Use consistent language for severity levels, finding types, and statuses.
Focus on Root Cause: Where possible, identify the underlying cause of the finding, not just the symptom.
Timely Documentation: Record findings as soon as they are identified.
Regular Review: Periodically review open findings to ensure they are being addressed.
Evidence is Key: Always support findings with objective evidence.
Collaborate with Stakeholders: Work with asset owners and relevant teams throughout the finding lifecycle.
Troubleshooting
Common Issues
Vague or Incomplete Findings: Lack of detail makes it hard to understand or remediate the issue.
Disputed Findings: Asset owners may disagree with the finding or its severity.
Findings Not Addressed: Open findings remain unaddressed for long periods.
Inconsistent Classification: Similar issues are assigned different severities or types.
Poor Evidence: Evidence is missing, irrelevant, or doesn't clearly support the finding.
Getting Support
If you encounter issues with the Findings Management component:
Refer to the in-app help documentation.
Consult your organization's internal procedures for audit and risk management.
Contact your system administrator or the AskInfosec support team.
Conclusion
The Findings Management component is central to an effective security assurance program. By systematically documenting, tracking, and managing findings, organizations can gain valuable insights into their security weaknesses, prioritize remediation efforts, and drive continuous improvement. A robust findings management process helps reduce risk, enhance compliance, and ultimately strengthen the organization's overall security posture.
Last updated