November 10, 2016

Posted by Richard Barrus

Reading Time: 3 minute(s)

Vulnerability Management, Part II

November 10, 2016

Table of Contents

Last Updated on November 10, 2016

In Part I of this two-part post, I covered some of the best practices you should consider implementing as part of your Vulnerability Management process. In this Part 2, I will cover those elusive “next steps,” and address how to effectively leverage all of that vulnerability information you have collected in order to prioritize your remediation efforts.

Remediation

A remediation timeline is essential to the success of your Vulnerability Management program. Once vulnerabilities have been identified, false positives removed and a remediation strategy assigned, it is important to ensure timelines are kept, especially where critical assets or known vulnerable assets are concerned.
These are some important aspects of the remediation process in the overall Vulnerability Management context:

Conduct validation scans to ensure remediation efforts have been completed, and hold system and technical owners accountable to the agreed and assigned timeline(s).
Prepare for contingencies, as risks often escalate over time as exploits are created. Ensure an escalation path exists to elevate remediation efforts to account for increased risk priority.
Track your progress using systematic reports and ensure you monitor vulnerability aging as part of the remediation cycle.

Reporting

The next phase to address is reporting. Reporting is more than just: “We had 100 High-risk vulnerabilities, 350 Medium and 1,200 Low.” Reporting is a process and a mechanism to help you automate and self-manage your Vulnerability Management process.
Determine reporting and metrics requirements based on your organizational needs, as well as industry compliance and audit requirements. This process should include the development of reporting templates to ensure accurate and immediate access to all of your risk management data.
Here are some key aspects of a best-practice Vulnerability Management reporting program:

Develop a vulnerability aging report to allow you to track remediation efforts and timelines.
Create granular reports to track risks down to the individual system owners (e.g., are the system owners adhering to established standards, where do improvements need to be made, etc.).
Conduct a trend analysis as part of your executive reporting. This should be clean and simple—a quick view of risk/exposure and how well the risk management program is performing over time (trending up or down).
Reports should be automated to ensure compliance and audit needs are being addressed while keeping your analysts focused on threat management and not report/metrics generation.
Reports should allow for multiple views, but ultimately should all roll up together to paint a comprehensive picture of the organizational risk landscape.

A proper vulnerability management program will help you gain insight into your total risk posture, and allow you to see potential issues before they become bigger problems. By following the steps I have outlined in this two-part blog post, you will ensure that you know which systems are critical, which systems are high risks, and where you should focus your time and efforts to get the best results from remediation efforts and system patching.

Additional Program Considerations

I will leave you with a few additional security program considerations to help you with your program development.

Consider a full defense-in-depth strategy for your security program. Include system, storage, network, application, and user security enforcement and monitoring.
Implement a full vulnerability management lifecycle program to track, monitor and trend the vulnerability state and the vulnerability workflow on an ongoing basis.
Identify assets, owners, and high-risk/critical systems. Ensure critical systems are documented and a plan is in place for proper remediation steps.
Ensure your vulnerability program is a defined portion of your existing security policy. This should be a two-way document that outlines roles, responsibilities, and SLAs that should be defined for incident response, maintenance and support.

If you would like to discuss how PPS can assist you in developing a solid Vulnerability Management program for your organization, please contact our team today to discuss our process and options.
For more information:

Is a penetration test really the service you need?

Without good Asset, Patch & Vulnerability management in place, a network penetration test could be a big waste of time and money.
Download the free inforgaphic now!

Download Now!

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Blog

Vulnerability Management, Part II

Remediation

Reporting

Additional Program Considerations

Is a penetration test really the service you need?

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

2 Principles to Revolutionize Security Awareness Training

What is Cyversity and How Can It Improve Diversity on My Cybersecurity Team?

How can we help you?

Services

Compliance

Insights

Pivot Point Security