Value of Annual Risk Assessment Reports and a Proper POAM

A short BIO to introduce myself, I have been involved in technology for over 25 years to include network design, deployment, and configuration of various logging and reporting techniques for these systems into a Secure Managed Environment, Systems Administration and the delivery of technology services to assist customers in their business processes. I have been heavily involved in Cyber for the past ten years and currently hold a CISSP and SANS – GSEC certifications.

As I work closely with various customers over time to meet their IA Compliance requirements the value of a proper annual Risk Assessment and the final RAR (Risk Assessment Report) including a POA&M (Plan of Action and Milestones) become increasingly evident to myself and the customer. The reports give the picture of where compliance was day one, and as the assessment team reviews annually, the initial documents become updated versions of the first noting differences but never being deleted. In my POA&M’s I include a tab for “Completed POA&M Controls” and move all items completed the previous year into that list. That list then becomes a quick reference for any Executive or potential auditor to measure the progress and changes year over year.

About sistech

I have been involved in technology for over 25 years to include Network design, deployment, and configuration of various logging and reporting techniques for these systems into a Secure Managed Environment, Systems Administration and the delivery of technology services to assist customers in their business processes. I have been heavily involved in Cyber for the past ten years and currently hold a CISSP and SANS – GSEC certifications.
This entry was posted in Opinion. Bookmark the permalink.

Leave a Reply