Target State

Every critical vulnerability has an accountable owner, a hard SLA, verified closure evidence, and auto-escalation. Monitoring tools have health checks. Internet-facing apps are segmented from sensitive data tiers. Disclosure is executed via a tested legal playbook.

Quick Wins

  • Patch SLA with verified closure. CVSS 9.0+ on internet-facing systems patched within 72 hours, closed only after independent confirmation.
  • Control validation schedule. Quarterly test proving the scanner inspects encrypted traffic correctly.
  • Application-level access scoping. ACIS access reduced to only what it needs; removes the 51-database blast radius.
  • Encryption at rest for PII. Database encryption for SSNs/financial records materially reduces harm even if exfiltration occurs.
  • Incident declaration triggers trading restrictions. Automatic trading blackout for executives on material incident declaration.
  • Notification obligations register. Current, tested notification timelines across jurisdictions; prevents 40-day disclosure delay.

1. Governance Fixes

1.1 Patch directives must be governed, not emailed

  • RACI with accountable owner per asset/app
  • Mandatory 48-hour SLA for CVSS 9–10 on internet-facing assets
  • Closure evidence: patch applied + validated scan + runtime verification
  • Auto-escalate to CIO/CISO if SLA breached

1.2 Board oversight must receive posture metrics, not activity updates

  • Report open critical vulns by age, patch SLA compliance, and control assurance failures
  • Define Board minimum cyber dashboard (KRIs + trend + exceptions)

1.3 Disclosure must be a pre-built compliance execution process

  • Always-current breach notification matrix (state/federal/UK/EU timelines)
  • Decision authority: Legal + CISO + CEO with timeboxed approvals
  • Tabletop exercises to prove the process can execute within regulatory windows

1.4 Incident declaration must automatically trigger trading controls

  • Incident-linked trading blackout control: auto-activate at material incident declaration
  • Non-discretionary — no loophole

2. Risk Management Fixes

2.1 Risk closure must require outcome verification

  • Risk closed only when controls are proven effective
  • Closure gate with evidence checks (scan + runtime checks + logs)

2.2 Controls must be monitored for health

  • Health checks for scanners, cert expiry, log pipelines, alert engines
  • Alerts for "security control not functioning" treated as priority-1

2.3 Architecture risk must be assessed and documented

  • Enforce segmentation: web tier cannot directly reach sensitive DBs
  • Least privilege network access (service-to-service allow lists)
  • Encrypt high-sensitivity PII at rest + key management

2.4 Third-party components must be in operational risk monitoring

  • Maintain a software component inventory (SBOM-style)
  • Subscribe to vulnerability feeds; auto-open remediation tickets for critical CVEs

3. Compliance Fixes

3.1 Data retention must be governed

  • Retention schedule tied to lawful basis and business requirement
  • Automate deletion/anonymization; generate audit evidence

3.2 Breach notification readiness must be tested

  • Run simulations: can we notify within 72 hours across jurisdictions?
  • Maintain a pre-approved notification playbook and templates
Bottom Line

Equifax didn't fail because they lacked tools. They failed because they lacked a disciplined process to enforce ownership, verify outcomes, and escalate exceptions. Build the operating model, and the technical controls start working.

Back to Problem Statement View ISO 27001 Mapping