I read about a product that promises to map security vulnerabilities to common enterprise compliance mandates....
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
While this would, in theory, enable vulnerability remediation to be prioritized based on compliance needs, is this approach recommended? Shouldn't vulnerabilities be prioritized and remediated based on the risk they pose to the organization?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your questions today! (All questions are anonymous.)
Information security and risk management go hand in hand. In fact, the primary responsibility of any information security professional is to effectively manage the security risks posed to the organization's information assets. As you point out in your question, all of the time and resources invested in security controls should be based on sound risk assessments and prioritized to reduce risk. Vulnerability management should follow the same risk prioritization scheme other organizational security activities use.
Keep in mind, however, that risks come in many forms and different organizations have varying risk tolerances. In some organizations, reputational risk may be paramount, driving activities that reduce the risk of a public embarrassment. Other organizations may be driven by financial risk, attempting to limit the firm's fiscal vulnerabilities. The compliance risk associated with a particular law or regulation is only meaningful when assessed relative to a particular firm's tolerance toward the penalties of failing to comply with that obligation.
Products such as the one you describe seek to map security vulnerabilities detected in an organization's infrastructure with the organization's compliance obligations. This is clearly valuable information, but it also must be weighed against the other risks facing an organization. For example, consider an organization that identifies two vulnerabilities: one in a key financial system and another in a system containing health information. Which one should be remediated first? The decision may vary depending upon whether the organization in question is a hospital or a financial services firm.
There's certainly nothing wrong with including compliance information in your vulnerability assessment process. Indeed, it can be very helpful. I would caution you, however, that this information should only be one factor in your risk analysis and should be weighed against other types of risk.
Dig Deeper on Enterprise Risk Management: Metrics and Assessments
Related Q&A from Mike Chapple
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ...continue reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ...continue reading
Now that NIST has deprecated the use of SMS 2FA, should nongovernment organizations follow suit? Expert Mike Chapple discusses the risks of SMS-based...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.