I read about a product that promises to map security vulnerabilities to common enterprise compliance mandates. While this would, in theory, enable vulnerability remediation to be prioritized based on compliance needs, is this approach recommended? Shouldn't vulnerabilities be prioritized and remediated based on the risk they pose to the organization?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your questions today! (All questions are anonymous.)
Information security and risk management go hand in hand. In fact, the primary responsibility of any information security professional is to effectively manage the security risks posed to the organization's information assets. As you point out in your question, all of the time and resources invested in security controls should be based on sound risk assessments and prioritized to reduce risk. Vulnerability management should follow the same risk prioritization scheme other organizational security activities use.
Keep in mind, however, that risks come in many forms and different organizations have varying risk tolerances. In some organizations, reputational risk may be paramount, driving activities that reduce the risk of a public embarrassment. Other organizations may be driven by financial risk, attempting to limit the firm's fiscal vulnerabilities. The compliance risk associated with a particular law or regulation is only meaningful when assessed relative to a particular firm's tolerance toward the penalties of failing to comply with that obligation.
Products such as the one you describe seek to map security vulnerabilities detected in an organization's infrastructure with the organization's compliance obligations. This is clearly valuable information, but it also must be weighed against the other risks facing an organization. For example, consider an organization that identifies two vulnerabilities: one in a key financial system and another in a system containing health information. Which one should be remediated first? The decision may vary depending upon whether the organization in question is a hospital or a financial services firm.
There's certainly nothing wrong with including compliance information in your vulnerability assessment process. Indeed, it can be very helpful. I would caution you, however, that this information should only be one factor in your risk analysis and should be weighed against other types of risk.
Dig Deeper on Enterprise Risk Management: Metrics and Assessments
Related Q&A from Mike Chapple, Enterprise Compliance
The HHS security risk assessment tool is designed to help healthcare providers meet the HIPAA security requirement. Expert Mike Chapple explains how ...continue reading
PCI DSS requirement 6.6 demands application security compliance through one of two options: an application firewall or a code review. Expert Mike ...continue reading
Are HIPAA-compliant hosting services a better option for compliance than a secure storage API? Expert Mike Chapple analyzes.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.