Effective vulnerability management requires an organization to implement a comprehensive approach to identify, classify, remediate, and mitigate information security risks. Using a cookie cutter approach to vulnerability management is not a wise approach it is more effective to thoughtfully consider your particular business risks that you face and develop an information security plan focused on protecting your business. Each business faces different risks so your vulnerability management program must be focused on the risk reduction steps you need that will help you cost effectively manage risk within your business.
Information Security Mission Statement
Your mission is to protect the confidentiality, integrity, and availability of your organization’s information assets. Compliance with all applicable regulatory requirements is also important to ensure your continuing right to operate and good standing in the community. It is also important to balance the risk vs. cost proposition to maximize the risk mitigation value that your information security investment will provide. Defining an organization’s information security policy is the foundational activity to get started.
Define Your Information Security Policy – As with many things in life if you do not have a plan you are just winging it. To get maximum benefit from your vulnerability management program you have to define a security policy for your organization. Your information security policy should reflect the specific needs of the business/organization that you are trying to protect. defines the desired security state for your organization and the principles that will be used.
Information Security Policy Guidance – Resist the temptation to over document your information security policy. Your information security policy should serve as your high level principles document that is applicable to all users. The more detailed “how to” components should be reflected in your detailed standards requirements. Here are examples to include in your policy:
- All information assets should be assigned an owner
- Each owner is responsible for classifying the risk of an information security asset
- Based on determined risk level, an information security asset should have appropriate safety measures put in place
- The principle of least privilege should be employed when granting access to information (only giving those who have a legitimate need for the access the ability to do so)
- Software utilized by your company will comply with legal contract requirements.
- Changes control principles will be implemented to minimize the risk to system availability and integrity
- Backups and disaster recovery plans must be available for important information systems
- Physical security controls should be put in place to prevent theft of information assets.
- If your company desires to restrict asset usage to business use or allow monitoring on company owned equipment it should be mentioned
- Exceptions to information security policy must be documented and require formal management approval
Baseline your business vs. your information security policy – Once you create or modify your policy it is important to perform a baseline to determine your level of compliance and document improvement opportunities. This activity is best performed via a documented audit which should assess all of the key areas of your information security policy. Information security policy violations highlighted during the audit should be documented, corrected, and retested later to ensure effectiveness.
Prioritize your information security vulnerabilities – Your information security policy audit will identify instances of policy violations that are potential vulnerabilities. The identified vulnerabilities should be prioritized based on risk to your business and corrective measures should be brainstormed using a risk based approach. If you identify vulnerabilities that require immediate resolution you should implement short term mitigation techniques to minimize the damage that could be caused until the vulnerability can be permanently resolved.
Mitigate Your vulnerabilities – It is important to review your identified information security vulnerabilities so that you can get to the true root cause of the problem. Resist the urge to come to an immediate cause and instead practice the 5 Why’s Approach. Often times the question why when asked enough will help get to the true source of the problem vs. settling for a less then satisfactory root cause. Root cause of your information security violations could be due to many factors including a lack of awareness of policy or failure to implement it as expected.
Perform on-going information security compliance reviews – Resolving information security vulnerabilities is not a one and done proposition. New security vulnerabilities are constantly being identified which causes a continual need to re-audit and reassess. It is a good practice to validate that old violations have been resolved at the beginning of any new audit before moving on to assessing new areas.
Does your organization have an effective vulnerability management program? If you have identified some improvement opportunities get started today!
Vulnerability Management Resources: