Vulnerability Management Program Development

Vulnerability management is a never-ending process. You need to develop a vulnerability management life cycle to ensure that new vulnerabilities are quickly discovered and mitigated, no matter what size your business is or the industry that you are involved in.

 An effective vulnerability management program will:

  • Establish essential security controls.
  • Identify and eliminate causes of vulnerabilities.
  • Continuously monitor and detect internal and external vulnerabilities.
  • Provide a documented process for the remediation of identified vulnerabilities.
  • Establish a vulnerability management policy for the organization.
  • Help to identify vulnerability owners and track the remediation status of the vulnerabilities.

Successful network vulnerability management balances the demands of security against the demands of individual business units. It includes these eleven steps:

1. Current policy review relative to generally recognized standards and compliance guidelines.

2. Asset inventory:

  • By type.
  • By owner.
  • Specifications.

3. Data classification to create an asset criticality profile, defining the importance of each asset.

4. Vulnerability assessment.

  • What can be exploited and when is exploitation likely to occur?
  • How can exploitation be achieved?
  • Vulnerability classification.

5. Threat correlation.

  • Worms, exploits, wide-scale attacks, new vulnerabilities.
  • Correlation of high-profile threats with the most important assets.

6. Determination of risk level based on the intersection of assets, vulnerabilities, and threats.

7. Remediation.

  • Factoring the cost to remediate versus the cost to ignore.
  • Zeroing in on must-have remedies.

8. Development of Metrics and Identification of KPIs.

  • Accurate metrics for more informed and more effective management.
  • Evaluation of current security state against baselines and ideal conditions.

9. Training needs.

10. Communication.

11.  Definition of organizational roles and responsibilities.

The high-level plan is to assess the organization in the eleven best practice areas.  Based upon the gaps identified, build a more comprehensive vulnerability management program that addresses areas of concern identified.  Lather, rinse, repeat.  The development of these processes and the program’s lifecycle is never ending, and based on the premise of continuous improvement.