An enterprise vulnerability management program can reach its full potential when it is built on well-established foundational goals that address the information needs of all stakeholders, when its output is tied back to the goals of the enterprise and when there is a reduction in the overall risk of the organization.

Such vulnerability management technology can detect risk, but it requires a foundation of people and processes to ensure that the program is successful.

There are four stages to a vulnerability management program:

  • The process that determines the criticality of the asset, the owners of the assets and the frequency of scanning as well as establishes timelines for remediation;
  • The discovery and inventory of assets on the network;
  • The discovery of vulnerabilities on the discovered assets; and
  • The reporting and remediation of discovered vulnerabilities.

The first stage focuses on building a process that is measurable and repeatable. Stages two through four focus on executing the process outlined in stage one with an emphasis on continuous improvement. We’ll examine these stages in more detail below.

Stage One: The Vulnerability Scanning Process

1. The first step in this stage is to identify the criticality of the assets in the organization.

To build an effective risk management program, one must first determine what assets the organization needs to protect. This applies to computing systems, storage devices, networks, data types and third-party systems on the organization’s network. Assets should be classified and ranked based on their true and inherent risk to the organization.

Many facets need to be considered in developing an asset’s inherent risk rating such as physical or logical connection to higher classified assets, user access and system availability.

For example, an asset in the DMZ with logical access to an account database is going to have a higher criticality than an (Read more...)