cc4-2 High priority Security / Monitoring Activities

Control deficiencies are identified, evaluated, and communicated

Finding a control gap is only valuable if something is done about it. This control requires a process to evaluate the severity of deficiencies, communicate them to the right people, and track remediation. An organization that discovers control failures and quietly files them away is failing this criterion even if it has excellent monitoring. The evidence auditors look for is a closed loop from deficiency identified to remediation confirmed.

6h estimated effort

monitoring deficiency remediation reporting

Complete first: cc4-1

Implementation steps

1

Classify deficiencies by severity

Define severity levels for control deficiencies. A common model: Observation (minor issue, low risk), Deficiency (control not working as designed, moderate risk), Significant Deficiency (could allow material misstatement or security failure, high risk), Material Weakness (fundamental control failure). Document the definitions. Apply the same classification to findings from internal audits, external audits, and penetration tests.

jira linear notion google-sheets
2

Communicate deficiencies to appropriate stakeholders

Route deficiency reports to the right level: minor findings go to the control owner, significant deficiencies go to the security lead and relevant executive, material weaknesses go to board-level oversight. Document who received each finding and when. A deficiency that is found but not communicated to someone who can fix it is effectively not found.

jira email slack linear
3

Track remediation to closure

Assign each deficiency to an owner with a target remediation date. Track progress. When remediation is complete, document the validation that the control now works. Maintain a deficiency log that shows all findings, their severity, who they were communicated to, and their current status.

jira linear notion google-sheets