Is your business taking information security seriously? Hopefully the answer is yes, because no company can afford to ignore legislation and legal risks associated with having an inadequate information protection program.
An effective vulnerability management program is an essential component in your information security playbook. Vulnerability management is defined as the process of identifying, classifying, mitigating, and remediating detected problems within information system devices. Vulnerabilities can exist in many different places within an information technology function including at the network, operating system, database, application, policy, or employee level of the organization.
The foundation step to getting started is to have a defined information security policy that establishes the baseline of an organization’s desired security state. This baseline defines the high level principles that will be followed to help deliver effective security and keep important information assets protected. Some of the key items to be defined in this stage include ownership of IT assets, risk classification techniques, policies, and data protection mechanisms.
The information security policy is then used to perform a baseline audit of actual vs. desired state throughout the IT environment. This assessment should be conducted by information systems auditors or administrators that are skilled for the given technology platform. Once the audit is completed all of the identified vulnerabilities should be consolidated into an enterprise vulnerability matrix. Prioritizing the identified vulnerabilities is the next step in the process and this process is best done by assembling a skilled team of security, risk assessment, and system administration resources. The integrated team will be in the best position to assess and prioritize the identified issues so that an organization’s limited resources can be used to maximize risk reduction for the enterprise.
The prioritized vulnerabilities are then tracked until they are resolved by the individuals responsible for correction. It is important to get to an understanding to why a vulnerability exists during this process so a permanent fix can be implemented vs. a temporary band-aid. A root cause analysis is the process to use to get to the “why” of the situation and implement a more sustainable fix.
Once vulnerabilities have been addressed it is important to maintain the improved state of operation. Ongoing monitoring and periodic audit assessments are necessary to ensure that the implemented improvements are being sustained and that your organization is doing what is required from an information security standpoint.
Now that you have learned the basic approach, I encourage you to learn more about implementing your own vulnerability management program to protect your business from information security risks.