89 - Evaluating fixes
Post audit, the project team may work on any required fixes for reported findings and request the audit firm for reviewing their responses
- Fixes may be applied for a majority of the findings and the review may need to confirm that applied fixes (could be different from audit’s recommended fixes) indeed mitigate the risk reported by the findings may be contested as not being relevant, outside the project’s threat model or simply acknowledged as being within the project’s acceptable risk model
- Audit firms may evaluate the specific fixes applied and confirm/deny their risk mitigation. Unless it is a fix/retainer type audit, this phase typically takes not more than a day because it would usually be outside the agreed upon duration of the audit.
- Findings: Accept/Acknowledge/Deny
- Fixes: Recommend/Review
- Evaluation: Time & Timeline
- Ensure Security