PHASE 2: PRIORITY ACTION MAP
The second phase of the Q|Frame™ framework methodology, the Priority Action Map phase, is highly strategic.
The first component of this phase is the prioritization of objectives. This prioritization is typically based on the combination of current risk and the effort level, or cost, to improve the risk exposure. Critical and high risk controls are prioritized highest, along with quick wins. Quick wins represent instances in which comparatively lower effort is required to improve risk exposure for any given control or cases where the win is critical for the advancement of additional controls.
Once objectives are prioritized, action plans are determined. This is where tactical and operational activities are selected to address prioritized controls. For instance, an organization with an extreme risk in relation to the SANS 20 control “Vulnerability Assessment and Remediation” might define an action plan relating to the deployment of an ongoing vulnerability scanning system.
Once objectives have been prioritized and action plans are formed, a timeline is developed. This timeline is documented in the form of a “priority action map”, which visually displays prioritized controls and the selected time frame for each associated action plan.
While prioritizing resources, we’ll utilize a methodology of “value-based prioritization”.
Using this disciplined methodology, we will walk you through the Q|Frame™ GAP assessment scoring and ranked prioritization.
Together as a team, we will discuss the risk and impact of your current state and the goal and objectives of the proposed solution to address the recommended corrective action.
We will also identify the people, processes, and technology involved in the proposed solution. This information is used to evaluate impact as we review the current and residual risk.
This process will allow the team to finalize the resources, timeline, and corrective action to implement items in the priority action map.