This article can also be found in the Premium Editorial Download "Information Security magazine: How security pros can benefit from information sharing."
Download it now to read this article plus other related content.
You're just plugging holes if you don't have the right processes and policies.
Scan, patch and scan again: It's a common process for finding and plugging security vulnerabilities. But, if this is your idea of vulnerability management, it's costing your company time and money without improving your security. Clearly, you need to implement a well-defined, repeatable process that gets the most out of your staff and protects critical business assets and applications.
An efficient vulnerability management process can't be implemented without a solid foundation of essential resources, mechanisms, expectations and security policies. How do you determine where to focus your limited resources? Are your most critical assets also the most vulnerable? If you don't know the answers, you're not efficiently managing vulnerabilities--you're simply trying to plug holes as they appear. Without this foundation, you're doomed to work in reactive mode, with no way to validate budgets or measure performance, effectiveness or exposure to threats and risk.
The following are seven must-have elements of a successful vulnerability management program. They're not about scanning or applying patches; they're the essentials that will enable you to efficiently and effectively find and remediate vulnerabilities.
1. Define Roles and Responsibilities
The chaos of an attack or a rapidly spreading worm isn't the time
At an operational level, individuals within the IT department may be responsible for identifying the company's assets, carrying out vulnerability assessments and penetration testing, and participating in the incident response team. These responsibilities may be assigned by business unit for particular sets of servers, depending on the size and complexity of your organization.
Roles and responsibilities should be documented, with flowcharts showing each team member's or department's involvement at each stage. This should include the creation of an escalation process to ensure that the right people are dealing with the more critical and complex issues.
Reinforce these assignments by integrating the responsibilities into job descriptions and performance reviews, and chart the performance of each security team by asset category, such as e-commerce servers, critical databases, nonproduction servers, financial systems and desktops PCs.
This was first published in January 2005