You're just plugging holes if you don't have the right processes and policies.
Scan, patch and scan again: It's a common process for finding and plugging security vulnerabilities. But, if this is your idea of vulnerability management, it's costing your company time and money without improving your security. Clearly, you need to implement a well-defined, repeatable process that gets the most out of your staff and protects critical business assets and applications.
An efficient vulnerability management process can't be implemented without a solid foundation of essential resources, mechanisms, expectations and security policies. How do you determine where to focus your limited resources? Are your most critical assets also the most vulnerable? If you don't know the answers, you're not efficiently managing vulnerabilities--you're simply trying to plug holes as they appear. Without this foundation, you're doomed to work in reactive mode, with no way to validate budgets or measure performance, effectiveness or exposure to threats and risk.
The following are seven must-have elements of a successful vulnerability management program. They're not about scanning or applying patches; they're the essentials that will enable you to efficiently and effectively find and remediate vulnerabilities.
1. Define Roles and Responsibilities
The chaos of an attack or a rapidly spreading worm isn't the time
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
to figure out who's supposed to do what and when.
All of the best vulnerability management practices, checklists and procedures are useless if individuals aren't appropriately tasked with the responsibilities to build and execute a sound program. Defined roles, assigned responsibilities and enforcement procedures--backed by authority--are critical to your enterprise's security. Expensive, cutting-edge security technology is of little use without them.
At an operational level, individuals within the IT department may be responsible for identifying the company's assets, carrying out vulnerability assessments and penetration testing, and participating in the incident response team. These responsibilities may be assigned by business unit for particular sets of servers, depending on the size and complexity of your organization.
Roles and responsibilities should be documented, with flowcharts showing each team member's or department's involvement at each stage. This should include the creation of an escalation process to ensure that the right people are dealing with the more critical and complex issues.
Reinforce these assignments by integrating the responsibilities into job descriptions and performance reviews, and chart the performance of each security team by asset category, such as e-commerce servers, critical databases, nonproduction servers, financial systems and desktops PCs.
This was first published in January 2005