Vulnerability management (VM) programs are the meat and potatoes of every comprehensive information security program. They are not optional anymore. In fact, many information security compliance, audit and risk management frameworks require organizations to maintain a vulnerability management program.

If you don’t have vulnerability management tools, or if your VM program is ad hoc, there’s no time like the present. In fact, The Center for Internet Security’s #3 Critical Security Control calls out continuous vulnerability assessment and remediation as an integral part of risk and governance programs.

If you’re still thinking about a vulnerability management policy as a tactical operations tool to use, occasionally there are a lot of good reasons to reconsider. It should be one of the cornerstones of your security program.

A Quick Vulnerability Management Definition

Let’s start by making sure we’re all talking about the same thing. The vulnerability management process is a continuous information security risk undertaking that requires management oversight. There are four high-level processes that encompass vulnerability management: discovery, reporting, prioritization and response. In a strong vulnerability management framework, each process and sub processes within it need to be part of a continuous cycle focused on improving security and reducing the risk profile of network assets.

Vulnerability Management Best Practices

Managing vulnerabilities with discovery and rediscovery

Discovery is the process by which network assets are found, categorized and assessed. Information about assets should be categorized into data classes such as vulnerability, configuration, patch state, compliance state or just inventory.

The discovery phase should find every computing asset (yes, every single one) on your network and build a database of knowledge other VM processes can use. Since your network is in a constant state of change, the information about your assets needs to be continually refreshed.

Reports, reports, reports

Reporting of the data found (Read more...)