Every new vulnerability introduces risk to the organization. So, a defined process is often used to provide organizations with a way to identify and address vulnerabilities quickly and continually. At a high level, 6 processes make up vulnerability management – each with their own subprocesses and tasks.
- Discover: You can’t secure what you’re unaware of. The first process involves taking an inventory of all assets across the environment, identifying details including operating system, services, applications, and configurations to identify vulnerabilities. This usually includes both a network scan and an authenticated agent-based system scan. Discovery should be performed regularly on an automated schedule.
- Prioritize: Second, discovered assets need to be categorized into groups and assigned a risk-based prioritization based on criticality to the organization.
- Assess: Third is establishing a risk baseline for your point of reference as vulnerabilities are remediated and risk is eliminated. Assessments provide an ongoing baseline over time.
- Remediate: Fourth, based on risk prioritization, vulnerabilities should be fixed (whether via patching or reconfiguration). Controls should be in place so that that remediation is completed successfully and progress can be documented.
- Verify: Fifth, validation of remediation is accomplished through additional scans and/or IT reporting.
- Report: Finally, IT, executives, and the C-suite all have a need to understand the current state of risk around vulnerabilities. Security teams need tactical reporting on vulnerabilities identified and remediated (by comparing the most recent scan with the previous one), executives need a summary of the current state of vulnerability (think red/yellow/green type reporting), and the C-suite needs something high-level like simple risk scores across parts of the business.
Strong vulnerability management programs see each process (and any sub-processes) as a continual lifecycle designed to help improve security and reduce organizational risk found in the network environment. Strong programs see this as being a daily process rather than quarterly or annually.
Contact our team and lets discuss how we can assist you on your Cyber journey, firstname.lastname@example.org.