All you wanted to know about setting up an effective Vulnerability Management Program

Vulnerability Management is a coordinated enterprise effort.

One key element of an effective information security program is to have good Vulnerability Management (VM) program. It is also recommended by most of the regulatory frameworks. Thus it is imperative for organizations to understand and implement a robust vulnerability management program, one that is aligned to the nature of its business.

The figure above illustrates the stages involved in the vulnerability management program and the actors involved in it. It comprises of IT Asset Teams like Application/Software development teams, Network Infrastructure Teams, etc. These teams manage different IT assets. 

Information security is generally a separate function in organizations. And all the IT assets come under the purview of the Infosec teams for risk management. As per the security assessments carried out by them, the security vulnerabilities and their risks are communicated to the IT stakeholders. The IT asset teams are required to work on fixing such security vulnerabilities within desired timelines. Thus, collectively different teams collaborate to work on closing the security vulnerabilities before any damage occurs.

Some of the shortcomings of such vulnerability management program include:

• Lack of visibility of all the IT Assets to the Infosec teams.
• Lack of Security Resources to conduct security assessments
• Delays in fixing the reported security Vulnerabilities
• Unclear state of Vulnerabilities in the IT Assets
• Redundant Manual Activities of Tracking vulnerabilities and their status across different teams
• Ambiguity in analyzing the security risk for the vulnerabilities & not having a guideline for prioritizing them for closure.
• Inconsistency in following the security assessment processes as defined in the organization.

To meet these challenges, the InfoSec team must design and communicate a vulnerability management program for an enterprise. The effectiveness of the VM process depends on designing it as per the business criticality of the IT assets, and thus asset classification is important to exercise to be done for all the IT assets of an organization. The VM program should include appropriate types of security assessments, frequency, and methodology of performing the assessments.

The assessment processes must be aligned with the business processes and technology mix used in the organization. Also, it must take inputs from change management processes to ensure all the changes made to IT assets are tested for security vulnerabilities.

The organizations must also adopt a suitable means to report the vulnerabilities to the IT teams and implement a notification channel for them to be aware of the existing vulnerabilities and their priorities. The IT team members should have the means to plan the security fixes and coordinate with Infosec teams for resolving technical & operational issues that arise in the process.

Thus, it is important for the Infosec team to provide support to them in terms of knowledge base, guidelines, criteria, or matrix for risk acceptance, prioritization, revalidation, etc. Such that common grounds can be achieved quickly in case of differences in opinions, and the risks get addressed in the environment in consultation with all the stakeholders.

A well-defined framework to help organizations to evaluate the gaps in the current vulnerability management program is thus needed. It will also help in setting a roadmap for the organizations to incorporate processes that are necessary for a planned manner to achieve the highest level of reliability in the vulnerability management program.