Improvement Workflow
Purpose
This page defines how identified security issues are processed from detection to resolution within the Scheol Security Lab.
The objective is to ensure that:
- findings are not ignored
- actions are prioritized consistently
- improvements are validated before being considered effective
- documentation remains aligned with reality
Workflow Overview
Continuous improvement follows a simple and repeatable flow:
Finding → Analysis → Prioritization → Action → Validation → Update
Step 1 – Finding
A finding represents any identified weakness or inconsistency.
Sources
- Residual Gaps (uncovered or partially covered risks)
- Control Status (Planned / In Progress controls)
- Validation results (failed or partial scenarios)
- Detection gaps (missing visibility or detection)
- Evidence review (missing, outdated or inconsistent evidence)
Examples
- missing MFA on administrative access
- reverse proxy exposing unintended services
- logs not centralized or not reviewed
- backup strategy not resilient
Step 2 – Analysis
The finding is analyzed to understand:
- root cause
- affected systems or zones
- associated risk(s)
- potential impact
Output
- clarified problem statement
- linkage to:
- Risk (R-XXX)
- Control (C-XXX)
Step 3 – Prioritization
Findings are prioritized based on:
- risk severity
- exposure level (public vs internal)
- impact on critical assets
- ease of remediation
Priority Levels (Simple Model)
| Level | Description |
|---|---|
| High | Immediate risk exposure or critical control missing |
| Medium | Important but not immediately exploitable |
| Low | Improvement or optimization |
Step 4 – Action
A corrective or improvement action is defined and implemented.
Examples
- enforce MFA on sensitive services
- restrict firewall rules between zones
- deploy centralized logging
- separate co-hosted services
Actions must be:
- realistic
- scoped
- linked to the original finding
Step 5 – Validation
After implementation, the improvement must be verified.
Methods
- configuration review
- execution of verification scenarios (V-XXX)
- observation of logs or system behavior
- generation of evidence (E-XXX)
Objective
Ensure that:
- the issue is effectively addressed
- no new unintended exposure is introduced
Step 6 – Update
Once validated:
- control status is updated (Control Status)
- residual gaps are reduced or reclassified
- evidence is documented (Audit & Evidence)
- documentation is aligned with the current state
Failure Handling
If validation fails:
- the finding remains open
- the action is reassessed or refined
- additional measures may be required
No improvement is considered complete without validation.
Traceability Requirement
Each improvement must be traceable across:
- Finding → Risk (R-XXX)
- Finding → Control (C-XXX)
- Action → Validation (V-XXX)
- Validation → Evidence (E-XXX)
This ensures full visibility of:
why an improvement exists and whether it is effective.
Current Approach
At the current stage:
- workflow execution is manual
- prioritization is qualitative
- improvements are tracked in a centralized backlog
- validation is partially implemented
This reflects a pragmatic and evolving approach, aligned with lab maturity.
Objective
The goal is not to eliminate all issues, but to ensure that:
- no critical finding is ignored
- improvements are consistently applied
- the lab evolves based on observed weaknesses
This workflow provides a simple but effective mechanism to maintain control over security evolution in the Scheol Security Lab.