Develop a Remediation Plan
As previously noted, an audit in 2014 revealed significant flaws within the OPM's security program. Not only were this civilian-run agency's investments in security woefully inadequate, its lax attitude towards security has been known for quite some time. In fact, the audit report on the OPM's cited "material weakness" in 2013 was escalated to "significant deficiency" in 2014. After the initial audit in 2013, the OPM should have put a remediation plan in place within 30 days, yet the organization did nothing, and unfortunately, its negligence backfired.
Further, the OPM had difficulties meeting some of the basic "101s" of its security, including authorization, controls testing, and security program planning. Since thorough assessments and control testing were not adequately carried out, the OPM was unaware where the security gaps were and therefore was unable to put an effective remediation plan in place.
As a first step in security remediation planning, organizations must ensure that they fully understand the threat landscape, prioritize a true risk profile, and stay attuned to emerging risks that may threaten the organization's operational integrity, reputation and risks. Next, the plan needs to be fully supported in the organization from the top down to ensure its effective and timely adoption. Finally, should the plan not be implemented, authorities need to be in a position to deliver severe consequences when standards are not met.