Best Practices Guide
Best Practices
Recommended practices to get consistent, high-quality, audit-ready results from IEFYX.
Risk Management
- Set SLA windows that match your contractual commitments; review breaches weekly.
- Use asset criticality + internet-facing flags to prioritize beyond raw severity.
- Calibrate risk appetite and control weight to your clients' tolerance.
Vulnerability Management
- Always supply a CVSS score so severity is consistent and defensible.
- Add CWE/OWASP/MITRE classification to make findings searchable and report-ready.
- Rely on the dedup fingerprint to avoid duplicate findings across scans.
- Keep status current (Open → In Progress → Fixed → Closed) so dashboards stay accurate.
Reporting
- Maintain a standard report template and set it as default.
- Write the executive summary for management; keep technical detail in finding sections.
- Version reports (Draft → Review → Final) and only deliver Final.
Collaboration
- Push high-severity findings to Jira so developers act in their own workflow.
- Use notifications and escalation for SLA-at-risk items.
- Record retest outcomes promptly to close the loop.
Compliance & Evidence Handling
- Tag every application with its compliance scope (PCI-DSS, ISO 27001, SOC 2, HIPAA, GDPR).
- Attach evidence to every finding; embed screenshots directly in the PoC.
- Use audit logs as compliance evidence.
Security Operations
- Enable 2FA for all users; enforce least-privilege roles.
- Rotate API keys; revoke unused integrations.
- Deactivate departed users immediately.
- Keep your subscription within plan limits to avoid blocked actions.
Golden rule. A finding without a CVSS score, classification and evidence is incomplete. Make these three a hard requirement in your team's definition of done.