Organizations face an ever-evolving threat landscape. With this in mind, it is imperative that organizations keep an up-to-date vulnerability management policy for remediating and controlling security vulnerabilities that may lead to a breach. A good vulnerability management policy should contain the following:
- An Overview of what the policy is intended to do.
- The Scope of the policy.
- Roles and Responsibilities under the organization.
- Vulnerability Remediation/Risk Mitigation.
Taking the time to give a short summary of the policy as well as who and what it involves will help to better flesh out the policy that the organization is trying to implement. Describing what types of devices, software, and networks that are subject to vulnerability scanning will decrease the likelihood of future vulnerabilities and keep an organization's information security infrastructure up to date.
Aside from keeping an organization’s information security infrastructure up to date, implementing a strong vulnerability management policy is essential to help reduce its potential financial, reputational and regulatory risks that could befall an organization with a weaker policy.
Scope of the Policy
There is no such thing as one size fits all when it comes to security. Different areas of the IT infrastructure will require different considerations and therefore should be broken into policy scopes. Some scopes you might consider include network infrastructure, company owned devices, servers, OSes, virtual machines, cloud-hosted servers, DB servers, applications, and networking gear. A clearly defined vulnerability management program will help to reduce confusion of what is expected and required to secure assets within the organization.
Roles and Responsibilities
Having clearly defined roles for personnel under which the vulnerability management policy is enacted well help employees understand who they should look to if an issue that's encountered falls under the vulnerability management policy. Some commonly defined roles are Chief Information Security Officer (CISO), System/Application Administrators, Information Assurance personnel and General IT staff. Each of these roles represent different aspects of responsibility for the security of an organization.
Vulnerability Remediation/ Risk Mitigation
The term “Automation is your friend” comes into play during vulnerability scanning. As an automated task, vulnerability scanning will help to identify potential software vulnerabilities by testing for unpatched software and insecure configurations. The frequency with which assets are scanned will depend on a few factors, that is, compliance standards and security program goals. There are several compliance standards that require higher frequency of vulnerability scanning then others. These include ISO (Internal Organization of Standards), which requires quarterly external and internal vulnerability scans; PCI DSS (Payment Card Industry Data Security Standard), which requires internal and external vulnerability scanning by an ASV (Approved Security Vendor); and NIST (National Institute of Standards and Technology), which requires either quarterly or monthly vulnerability scans depending on the specific NIST framework.
Once vulnerability scanning is completed, categorizing vulnerabilities that have been discovered based on severity should be the next priority. NIST scores published vulnerabilities using the Common Vulnerability Scoring System (CVSS). Under this system, a score of 7-8.9 represents a high risk while 9 or greater indicates a critical risk.
Vulnerabilities that are detected that could potentially put big data or mission critical systems at risk should be prioritized first and receive the shortest time frame for implementing recommended mitigation. Introducing a stern time frame for remediation based on the severity of the vulnerabilities is a step in the right direction. Threat intelligence data can also be leveraged to further prioritize remediation efforts based on perceived likelihood that a give condition will be exploited.
It’s important to maintain perspective on how this is a layered approach. There are many moving parts in a vulnerability management policy, so incorporating other aspects of security by expanding education and searching for other initiatives like bug bounty programs, penetration testing, and red teaming will help an organization to take their vulnerability management to the next level.