The initial phase is about planning with key personnel.
The goal is to:
- Identify the problems with key personnel
- Develop and present solutions with key personnel
Example steps:
- Identify the key personnel.
- With the key personnel:
- Draw the end to end process from when the system is commissioned and decommissioned in the asset inventory
- Draw the end to end process from when the system is onboarded and offboarded in the vulnerability management database
- Define (if any) points and document where these processes intersect:
- This means, when the system is onboarded in IT ops, when does IT security find out?
- When IT security finds a system that is not in its database, when do they tell IT ops?
- Identify and provide solutions to any challenging areas or areas for improvement:
- How can we ensure that our databases are synced?
- What KRI do we put in place to know when we have an issue?
- How can we report to one another if the threshold is met?
- How do we report to our supervisors when the thresholds is met?