I read about a product that promises to map security vulnerabilities to common enterprise compliance mandates. While this would, in theory, enable vulnerability remediation to be prioritized based on compliance needs, is this approach recommended? Shouldn't vulnerabilities be prioritized and remediated based on the risk they pose to the organization?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your questions today! (All questions are anonymous.)
Information security and risk management go hand in hand. In fact, the primary responsibility of any information security professional is to effectively manage the security risks posed to the organization's information assets. As you point out in your question, all of the time and resources invested in security controls should be based on sound risk assessments and prioritized to reduce risk. Vulnerability management should follow the same risk prioritization scheme other organizational security activities use.
Keep in mind, however, that risks come in many forms and different organizations have varying risk tolerances. In some organizations, reputational risk may be paramount, driving activities that reduce the risk of a public embarrassment. Other organizations may be driven by financial risk, attempting to limit the firm's fiscal vulnerabilities. The compliance risk associated with a particular law or regulation is only meaningful when assessed relative to a particular firm's tolerance toward the penalties of failing to comply with that obligation.
Products such as the one you describe seek to map security vulnerabilities detected in an organization's infrastructure with the organization's compliance obligations. This is clearly valuable information, but it also must be weighed against the other risks facing an organization. For example, consider an organization that identifies two vulnerabilities: one in a key financial system and another in a system containing health information. Which one should be remediated first? The decision may vary depending upon whether the organization in question is a hospital or a financial services firm.
There's certainly nothing wrong with including compliance information in your vulnerability assessment process. Indeed, it can be very helpful. I would caution you, however, that this information should only be one factor in your risk analysis and should be weighed against other types of risk.
Dig deeper on Enterprise Risk Management: Metrics and Assessments
Related Q&A from Mike Chapple, Enterprise Compliance
Social media compliance is not typically considered a big issue for companies, but expert Mike Chapple explains why it should be.continue reading
Metadata tagging is not just for security. Expert Mike Chapple explains how tagging tools can be used to achieve PCI DSS compliance.continue reading
Before using the HIPAA-compliant cloud services from Google, there are some things companies need to know, according to expert Mike Chapple.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.