2016 has seen a rash of high profile security breaches that have impacted businesses and their customers alike. Yahoo recently reported the largest such breach in history, revealing that some 500 million customers’ data had been stolen. It is no longer enough to serve your customers, you must protect them as well. Having your information security team scanning and monitoring your network is a start, but installing a formal vulnerability management process will go much further in lowering your IT risk. Vulnerability scanning will help you to identify your risk while vulnerability management will help you to understand and mitigate these risks.
Here are 5 steps to improve IT security with vulnerability management:
1. Determine your scope
Determining the scope of your scanning and remediation process is one of the key ways vulnerability management can improve your security posture. Vulnerabilities can exist at every level of your network. With an external scan from the prospective of an outside attacker, an internal scan for local network threats, application testing, and hiring a third-party penetration tester – the time and money can quickly add up. Determine the scope of issues you can afford to fix and what level of risk you can accept, and grow from there as your process matures.
2. Identify your asset owners
Scanning will help you to determine what is on your network, and how those hosts are vulnerable. You must then be able to quickly identify who is responsible for those hosts, and work with them to create a remediation plan. Work with your asset owners to create a centralized source for this ownership information. This will not only speed up the remediation process, but ensure that your asset owners already know and work with your vulnerability management team when the time comes to remediate issues.
3. Manage your exceptions
There will be issues identified in your scans that cannot be remediated. Perhaps they are low enough risk that they are not worth taking the time to fix, they are too expensive and time consuming to fix, or a vendor cannot certify an application that will work with a particular patch. Whatever the reason, a formal exception process must be established. This will allow your organization to make an educated decision about the level of risk it is accepting, as they will be informed of the extent of the risk and determine what can or should be done. Exceptions should always be offered for a set period of time, and revisited to confirm if something can now be done before they are recertified.
4. Have a single authoritative source
A formal vulnerability management process will produce multiple scans that cover many different areas of your network and business. It requires keeping track of remediation plans of multiple asset owners for numerous vulnerabilities. Keeping a single authoritative source with a vulnerability management team will allow for better tracking and reporting of the status of your security posture. Have a team work with your asset owners to keep a database detailing their remediation efforts, as this will ensure someone is always focused on the vulnerability management process and can keep things moving forward. Accurate and up-to-date records are essential to understanding your risk.
5. Formalize your policy
Once your scope is set, your owners have been identified and there is buy in from all groups about the nature of your vulnerability management process, formalize it in policy. Set a timeline for remediation of identified vulnerabilities, based on realistic goals your asset owners can meet. Ensure that there is sufficient oversight to determine the status of vulnerabilities and set it all down in policy. This will give your vulnerability management team the authority to work with owners to remediate issues in a timely manner and keep your risk low.
Having a mature vulnerability management process in place can help you to protect your business, your systems, and your customers. Recent events have shown information security to be more important than ever, and an investment in vulnerability management now could save you from being a headline later.