Vulnerability Mismanagement


This article can also be found in the Premium Editorial Download "Information Security magazine: How security pros can benefit from information sharing."

Download it now to read this article plus other related content.

You're just plugging holes if you don't have the right processes and policies.

Scan, patch and scan again: It's a common process for finding and plugging security vulnerabilities. But, if this is your idea of vulnerability management, it's costing your company time and money without improving your security. Clearly, you need to implement a well-defined, repeatable process that gets the most out of your staff and protects critical business assets and applications.

An efficient vulnerability management process can't be implemented without a solid foundation of essential resources, mechanisms, expectations and security policies. How do you determine where to focus your limited resources? Are your most critical assets also the most vulnerable? If you don't know the answers, you're not efficiently managing vulnerabilities--you're simply trying to plug holes as they appear. Without this foundation, you're doomed to work in reactive mode, with no way to validate budgets or measure performance, effectiveness or exposure to threats and risk.

The following are seven must-have elements of a successful vulnerability management program. They're not about scanning or applying patches; they're the essentials that will enable you to efficiently and effectively find and remediate vulnerabilities.

1. Define Roles and Responsibilities
The chaos of an attack or a rapidly spreading worm isn't the time

Requires Free Membership to View

to figure out who's supposed to do what and when. All of the best vulnerability management practices, checklists and procedures are useless if individuals aren't appropriately tasked with the responsibilities to build and execute a sound program. Defined roles, assigned responsibilities and enforcement procedures--backed by authority--are critical to your enterprise's security. Expensive, cutting-edge security technology is of little use without them.

At an operational level, individuals within the IT department may be responsible for identifying the company's assets, carrying out vulnerability assessments and penetration testing, and participating in the incident response team. These responsibilities may be assigned by business unit for particular sets of servers, depending on the size and complexity of your organization.

Roles and responsibilities should be documented, with flowcharts showing each team member's or department's involvement at each stage. This should include the creation of an escalation process to ensure that the right people are dealing with the more critical and complex issues.

Reinforce these assignments by integrating the responsibilities into job descriptions and performance reviews, and chart the performance of each security team by asset category, such as e-commerce servers, critical databases, nonproduction servers, financial systems and desktops PCs.

This was first published in January 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: