The Remediation Plan and the Board Presentation

Step 1: Structure the remediation plan

The assessment is complete. You have findings from Units 2 through 7: segmentation failures, the Al Wakra legacy system, the third-party VPN risk, the shared fiber connection, and the lateral movement test results. Now compile everything into a document Fatima can use.

Three audiences need different information from the same findings:

• The insurance company needs compliance evidence. They flagged "insufficient segmentation." They need to see that segmentation was assessed, failures were found, controls were implemented, and verification proves the controls work.
• The board needs costs and timeline. They approve budgets. They need to know what the options are, what each costs, and what happens if they do nothing (30% premium increase).
• The IT team needs technical implementation details. Ahmed Khalil's team will do the work. They need specific configurations, network diagrams, and the order of operations.

The remediation plan should make each audience's section self-contained. An insurance auditor should not need to read the technical appendix. A board member should not need to understand Docker networking. Ahmed should not need to read the executive summary to find the implementation steps.

Step 2: Prioritise the findings

Not all findings are equal. Order by business risk, not by the sequence you discovered them.

• Critical -- immediate: Tenant Wi-Fi to BMS connectivity. Life-safety systems accessible from untrusted network. The segmentation you implemented in Unit 3 addresses this. Implementation cost: configuration only (Docker networking changes). Timeline: completed during assessment.
• Critical -- immediate: Tenant Wi-Fi to access control connectivity. Physical security systems accessible from untrusted network. Same remediation as BMS.
• High -- near-term: Al Wakra legacy BMS authentication gap. Compensating control in place (dedicated monitoring). Long-term fix: system replacement. Cost: hardware and installation.
• High -- near-term: Third-party CCTV vendor VPN scope. VPN access limited by segmentation, but vendor access policy needed. Cost: configuration plus policy development.
• Medium -- planned: Shared fiber single point of failure. Two buildings share connectivity. Cost: dedicated fiber connections or hardware firewall reconfiguration.
• Recommendation: Vendor access management policy. Not a technical finding but directly relevant to the insurance company's concern.

Step 3: Create cost estimates

Direct AI to research typical costs for each remediation item. Fatima asked for options to present to the board.

The cost categories:

• Network segmentation implementation (Docker/infrastructure reconfiguration) -- mostly labor
• Legacy BMS replacement (Al Wakra) -- hardware, software, installation, commissioning
• Shared fiber separation (dedicated connections per building) -- ISP and construction
• VPN reconfiguration and vendor access policy -- labor and governance

Present costs in Qatari Riyals (QAR). For each item: immediate cost, ongoing cost (if any), and the cost of not doing it (insurance premium increase, risk exposure).

Step 4: Design the implementation timeline

Three months to the insurance deadline. What fits within that window?

Map each remediation item to the timeline:

• Immediate (already done): Network segmentation and firewall rules. Detection rules. These were implemented during the assessment.
• 1 month: VPN reconfiguration, vendor access policy development.
• 2-3 months: Shared fiber firewall hardening (if not separating fiber).
• 3-6 months: Shared fiber separation (if choosing dedicated connections). Requires ISP engagement and construction.
• 6-12 months: Al Wakra BMS replacement. Requires procurement, installation, and commissioning without disrupting building operations.

The insurance company needs to see that the critical items (segmentation, detection) are already in place, and that the longer-term items have funded timelines.

Step 5: Write the architecture documentation

Document the network architecture so future operators understand it. This is not a report for Fatima -- it is a reference for Ahmed's team and whoever comes after them.

For each network zone: which containers belong to it, which traffic is allowed in and out, and why. For each firewall rule: what it does, which zone boundary it controls, and the business justification. For the Al Wakra exception: the compensating control, the residual risk, and the scheduled review date.

This documentation matters because network architecture is invisible in normal operation. A developer who does not know the segmentation exists will file a bug report when their new service cannot reach the database. The person responding needs to know that the segmentation was a deliberate security decision, not a misconfiguration.

Contact Fatima with the remediation plan structure. She reviews the cost estimates and asks: "What's the minimum we need to do to satisfy the insurance company, and what's the full recommendation?" She needs both to present to the board -- the compliance minimum and the security recommendation.

This forces you to distinguish "compliant" from "secure." The insurance company needs segmentation evidence. The security recommendation includes the legacy BMS replacement, the shared fiber separation, and the vendor access policy. The board gets to choose.