I read about a product that promises to map security vulnerabilities to common enterprise compliance mandates.
While this would, in theory, enable vulnerability remediation to be prioritized based on compliance needs, is this approach recommended? Shouldn't vulnerabilities be prioritized and remediated based on the risk they pose to the organization?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your questions today! (All questions are anonymous.)
Information security and risk management go hand in hand. In fact, the primary responsibility of any information security professional is to effectively manage the security risks posed to the organization's information assets. As you point out in your question, all of the time and resources invested in security controls should be based on sound risk assessments and prioritized to reduce risk. Vulnerability management should follow the same risk prioritization scheme other organizational security activities use.
Keep in mind, however, that risks come in many forms and different organizations have varying risk tolerances. In some organizations, reputational risk may be paramount, driving activities that reduce the risk of a public embarrassment. Other organizations may be driven by financial risk, attempting to limit the firm's fiscal vulnerabilities. The compliance risk associated with a particular law or regulation is only meaningful when assessed relative to a particular firm's tolerance toward the penalties of failing to comply with that obligation.
Products such as the one you describe seek to map security vulnerabilities detected in an organization's infrastructure with the organization's compliance obligations. This is clearly valuable information, but it also must be weighed against the other risks facing an organization. For example, consider an organization that identifies two vulnerabilities: one in a key financial system and another in a system containing health information. Which one should be remediated first? The decision may vary depending upon whether the organization in question is a hospital or a financial services firm.
There's certainly nothing wrong with including compliance information in your vulnerability assessment process. Indeed, it can be very helpful. I would caution you, however, that this information should only be one factor in your risk analysis and should be weighed against other types of risk.
Dig deeper on Enterprise Risk Management: Metrics and Assessments
Related Q&A from Mike Chapple, Enterprise Compliance
Should companies obtain U.S. security clearance to join the Enhanced Cybersecurity Services program? Mike Chapple offers his perspective.continue reading
Does a Web application security assessment termed 'compliance ready' seem too good to be true? Learn its role in an enterprise compliance program.continue reading
Learn how hiring the right PCI DSS-compliant service providers, especially payment services providers, can reduce your compliance burden.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.