An enterprise vulnerability management program can reach its full potential when it is built on well-established foundational goals.  These goals should address the information needs of all stakeholders, tie back to the business goals of the enterprise, and reduce the organization’s risk. Existing vulnerability management technologies can detect risk, but they require a foundation of people and processes to ensure that the program is successful.

One way to approach a vulnerability management project is with a 4-staged approach, each containing its own set of subtasks:

  1. The discovery and inventory of assets on the network.
  2. Asset classification and task assignments:
    • the process that determines the criticality of the asset:
    • the owners of the assets;
    • the frequency of scanning;
  3. The discovery of vulnerabilities on the discovered assets.
    • timelines for remediation of discovered vulnerabilities.
  4. The reporting of remediation of discovered vulnerabilities.

Each stage involves a measurable and repeatable process, as well as a phase of execution.  Of course, the aim is to create a managed, and optimized process for continuous improvement.

Stage One: Asset Discovery and Inventory

According to the CIS Critical Security Controls, as well as all other authorities, asset discovery and inventory are the first step in any vulnerability management system.  After all, you cannot protect what you do not know about.

An accurate inventory of all authorized and unauthorized devices on the network, as well as all  software installed on the assets on the organization’s network go hand-in-hand, as attackers are always trying to identify easily exploitable systems. Ensuring that the information security team is aware of what is on the network allows them to better protect those systems and provide guidance to the owners of those systems to reduce the risks those assets pose.

There have been many cases where systems are deployed without informing (Read more...)