Vulnerability management is critical within any organization to identify, classify, re-mediate, and mitigate any vulnerabilities. Organizations that set up effective vulnerability management programs take a proactive and preemptive approach for the safety of their applications, software and networks and are significantly safer from data breaches and theft.
In order for the above objectives to be met by the Vulnerability Management Program, a CISO needs to ensure that it meets the following Top 10 requirements:
1. Maintain an Updated IT Assets Inventory and Categorize it by Business Risks
Most companies lack sufficient insight into the number of information assets that are critical to running their business. It is imperative that an organization’s IT assets are enrolled into the Vulnerability Management Program. IT assets can include in-house managed assets, third-party assets used for business processes, and assets on the private/public cloud used to conduct businesses. Business owners, along with their security team, should assign risk to these IT assets depending on the critical areas they support in the business value chain. The risk value can be determined on the basis of business value, sensitive information or the transactions that are supported or handled by the IT asset.
2. Prioritize Security Assessments on the Basis of Risk
Once IT assets have been enrolled and assigned risk values, it becomes easier to prioritize security assessments. Make effective use of automated and manual assessments on your IT assets depending on the risk value assigned to them. For example, for a high risk asset, a more detailed assessment with manual expert security testing can be designated, whereas for a low risk asset, a general vulnerability scan for compliance can be carried out. This type of approach towards security assessments can help while collaborating with business owners to schedule security assessments. Critical assets can undergo continuous assessments on a weekly or monthly basis, whereas others can follow a less periodic schedule of assessments.
3. Engage IT Teams in a Continuous Security Assessment Plan
IT teams need to be sensitized about the need for integrating security assessments to their build–deploy cycles. Once the schedule of assessments is decided, the engaging IT teams have to ensure that all of the necessary assets are ready and configured for assessments. This is a key requirement for the success of a vulnerability management program.
4. Maintain Updated Security Baselines
In order to improve the overall IT security posture, the vulnerability management program should be guided by secure baselines/standards against which assessments should be carried out. These baselines should be created for different asset types and can be further categorized into mandatory, important and optional standards.
5. Map Baselines with Compliance Requirements
Ensure that baselines map to compliance requirements of the business, for example, PCI for payment card data handling. This will help ensure that adhering to security baselines or standards automatically helps in compliance with global standards.
6. Empower IT Teams with Security Training
Once the vulnerabilities have been identified, the IT team needs to mitigate the risks on the IT assets. Training IT teams in secure baselines and secure-coding guidelines goes a long way in ensuring that vulnerabilities are mitigated faster.
7. Adopt a Risk-Based Mitigation Strategy
The derived risk values of the IT assets will help in determining the controls that have to be applied for mitigating the risks on the IT assets. Do you use advanced two-factor authentication systems or complex passwords? This will be determined by the type of asset that has to be protected.
8. Integrate Mitigation Tracking into the VM Program
Maintain a system, such as an MIS system, to track the mitigation of vulnerability classes and asset types. This system can help you determine the progress of mitigations, how classes of vulnerabilities are being mitigated and how soon. Assigning mitigation tasks to specific teams or IT owners and integrating them with bug-tracking systems is also something that proves beneficial to the success of a vulnerability management program.
9. Define, Measure and Review the Metrics for the VM Program
Determine whether the program is on track to assess all the enrolled IT assets. Determine whether your vulnerabilities are being addressed or risks are being mitigated with the progress of time. Measure the time taken to acquire new assets or asset components. Measure the time taken to go live for critical business applications. These metrics would give you better visibility of the security issues affecting your IT assets. Intelligence gained can be used to further fine-tune your vulnerability management program, drive specific trainings, and develop better IT security standards.
10. Centralized Visibility of the Entire Vulnerability Management Program
Finally, all stakeholders of the vulnerability management program should have a unified view of the current status of the vulnerability management program. A centralized dashboard can serve this purpose by providing views of the assessment schedule across all assets, the most critical vulnerabilities that need immediate attention, and the departments with the highest/lowest number of vulnerable assets.
About the author
Siddharth Anbalahan has over 10 years of IT security experience with a specialization in application security. He has spoken at various OWASP conferences and has co-authored the book “Application Security in ISO 27001 Environment. He has successfully developed robust application security programs for many provider and user organizations.