Enterprise Remediation Continuous Improvement: The Risk Registry

A recent GAO report examines the maturity of 24 US Government departments’ security regimes. While subject to different standards and regimes, enterprises face similar challenges as the agencies mentioned in the report. For example, “Twenty-three of the 24 agencies did not have effective processes for remediating information security weaknesses.”*

Remediation is hugely challenging as it tends to involve a cross-section of teams and multiple stakeholders. Remediation projects can have significant budgetary implications. It’s critical to maintain an integrated risk registry with ownership within the governance team to drive remediation in a deliberate manner. Remediation can be linked explicitly to personnel metrics of success to elevate its importance.

I’m drafting a longer article to provide guidance for risk registry implementation for an upcoming ISACA Toronto Chapter talk.

*The GAO full report is here.

Further reading from BankInfoSecurity.