Vulnerability Management is a coordinated enterprise effort.
One key element of an effective information security program is to have good Vulnerability Management (VM) program. It is also recommended by most of the regulatory frameworks. Thus it is imperative for organizations to understand and implement a robust vulnerability management program, one that is aligned to the nature of its business.
The figure above illustrates the stages involved in the vulnerability management program and the actors involved in it. It comprises of IT Asset Teams like Application/Software development teams, Network Infrastructure Teams, etc. These teams manage different IT assets.
Information security is generally a separate function in organizations. And all the IT assets come under the purview of the Infosec teams for risk management. As per the security assessments carried out by them, the security vulnerabilities and their risks are communicated to the IT stakeholders. The IT asset teams are required to work on fixing such security vulnerabilities within desired timelines. Thus, collectively different teams collaborate to work on closing the security vulnerabilities before any damage occurs.
Some of the shortcomings of such vulnerability management program include:
• Lack of visibility of all the IT Assets to the Infosec teams.
• Lack of Security Resources to conduct security assessments
• Delays in fixing the reported security Vulnerabilities
• Unclear state of Vulnerabilities in the IT Assets
• Redundant Manual Activities of Tracking vulnerabilities and their status across different teams
• Ambiguity in analyzing the security risk for the vulnerabilities & not having a guideline for prioritizing them for closure.
• Inconsistency in following the security assessment processes as defined in the organization.
To meet these challenges, the InfoSec team must design and communicate a vulnerability management program for an enterprise. The effectiveness of the VM process depends on designing it as per the business criticality of the IT assets, and thus asset classification is important to exercise to be done for all the IT assets of an organization. The VM program should include appropriate types of security assessments, frequency, and methodology of performing the assessments.