Vulnerability Management is a co-ordinated enterprise effort.
One key element of an effective information security program is to have good Vulnerability Management (VM) program. It is also recommended by most of the regulatory frameworks. Thus it is imperative for organizations to understand and implement a robust vulnerability management program, one that is aligned to the nature of its business.

The figure above illustrates the stages involved in the vulnerability management program and the actors involved in it. It comprises of IT Asset Teams like Application/Software development teams, Network Infrastructure Teams, etc. These teams manage different IT assets.
Information security is generally a separate function in the organizations. Hence, all the IT assets come under their radar for security risk assessment. As per the assessments carried out by the Infosec team, the security vulnerabilities and their risks are communicated to the IT stakeholders. The IT asset teams are required to work on fixing such security vulnerabilities within desired timelines. Thus, collectively different teams collaborate to work on closing the security vulnerabilities before any damage is done.

 

Some of the shortcoming of such vulnerability management program includes:
• Lack of visibility of all the IT Assets to the Infosec teams.
• Lack of Security Resources to conduct security assessments• Delays in fixing the reported security Vulnerabilities
• Unclear state of Vulnerabilities in the IT Assets
• Redundant Manual Activities of Tracking vulnerabilities and their status across different teams
• Ambiguity in analysing the security risk for the vulnerabilities & not having a guideline for prioritizing them for closure.
• Inconsistency in following the security assessment processes as defined in the organization.

 

To meet these challenges, the InfoSec team must design and communicate a vulnerability management program for an enterprise. The effectiveness of the VM process depends designing it as per the business criticality of the IT assets, and thus asset classification is important exercise to be done for all the IT assets of an organization. The VM program should include appropriate types of security assessments, frequency, and methodology of performing the assessments. 

The assessment processes must be aligned with the business processes and technology mix used in the organization. Also, it must take inputs from change management processes to ensure all the changes made to IT assets are tested for security vulnerabilities. 

The organizations must also adopt a suitable means to report the vulnerabilities to the IT teams and implement a notification channel for them to be aware of the existing vulnerabilities and their priorities. The IT team members should have means to plan the security fixes and co-ordinate with Infosec teams for resolving technical & operational issues that arise in the process. Thus, it is important for the Infosec team to provide support to them in terms of knowledge base, guidelines, criteria or matrix for risk acceptance, prioritization, revalidation etc. Such that common grounds can be achieved quickly in case of differences in opinions, and the risks get addressed in the environment in consultation with the all the stakeholders.

 

A well-defined framework to help organizations to evaluate the gaps in the current vulnerability management program is thus needed. It will also help in setting a roadmap for the organizations to incorporate processes that are necessary in a planned manner to achieve highest level of reliability in the vulnerability management program.