I read about a product that promises to map security vulnerabilities to common enterprise compliance mandates....
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
While this would, in theory, enable vulnerability remediation to be prioritized based on compliance needs, is this approach recommended? Shouldn't vulnerabilities be prioritized and remediated based on the risk they pose to the organization?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your questions today! (All questions are anonymous.)
Information security and risk management go hand in hand. In fact, the primary responsibility of any information security professional is to effectively manage the security risks posed to the organization's information assets. As you point out in your question, all of the time and resources invested in security controls should be based on sound risk assessments and prioritized to reduce risk. Vulnerability management should follow the same risk prioritization scheme other organizational security activities use.
Keep in mind, however, that risks come in many forms and different organizations have varying risk tolerances. In some organizations, reputational risk may be paramount, driving activities that reduce the risk of a public embarrassment. Other organizations may be driven by financial risk, attempting to limit the firm's fiscal vulnerabilities. The compliance risk associated with a particular law or regulation is only meaningful when assessed relative to a particular firm's tolerance toward the penalties of failing to comply with that obligation.
Products such as the one you describe seek to map security vulnerabilities detected in an organization's infrastructure with the organization's compliance obligations. This is clearly valuable information, but it also must be weighed against the other risks facing an organization. For example, consider an organization that identifies two vulnerabilities: one in a key financial system and another in a system containing health information. Which one should be remediated first? The decision may vary depending upon whether the organization in question is a hospital or a financial services firm.
There's certainly nothing wrong with including compliance information in your vulnerability assessment process. Indeed, it can be very helpful. I would caution you, however, that this information should only be one factor in your risk analysis and should be weighed against other types of risk.
Dig Deeper on Enterprise Risk Management: Metrics and Assessments
Related Q&A from Mike Chapple
Vulnerability scanning tools are necessary to be fully compliant with PCI DSS, but the tools need to come from a PCI DSS Approved Scanning Vendor. ...continue reading
Healthcare clearinghouses like Mass HIway are a new trend in health IT, but what are the security implications? Expert Mike Chapple explains what you...continue reading
The FFIEC Cybersecurity Assessment Tool has faced harsh criticism since its 2015 release. Expert Mike Chapple reviews the tool and how it can be ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.