In today’s ever accelerating digital climate, cybersecurity risks grow in number and complexity by the day. Hackers outpace US firms’ cyberdefense efforts, necessitating constant vigilance. And attacks aren’t just launched by rag tag criminals; US intelligence agencies are working around the clock to identify and protect against organized attacks launched by foreign nationals. They’re also advising that every company create and maintain a vulnerability management policy.
In this article, we’ll take a deep dive into how that policy should function within the context of your company.
Anatomy of a Vulnerability Management Policy for Your Organization
No matter what kind of cyberdefense architecture your organization currently has, or is planning on implementing, threat and vulnerability management will be an essential aspect of it. The key to making sure your vulnerability management is effective involves custom making a policy that addresses your challenges and needs.
In the sections that follow, we’ll detail everything you need to know about how a vulnerability management policy for an organization looks and works, including:
- What the DHS recommends for your vulnerability management
- Some alternative approaches to vulnerability management
- How to create your own vulnerability management policy
But first, let’s cover some basic ground on what exactly vulnerability management is.
What is Vulnerability Management, and Why Does it Matter?
The National Institute of Standards and Technology (NIST), defines a cybersecurity vulnerability as a weakness in your security perimeter. Specifically, it’s an existing or potential site of exploitation.
Vulnerabilities vary widely; they can be:
- Unintended or undetected capabilities in software or apps
- Flaws inherent to website or program, such as loopholes in code
- Risks developed over time as a result of wear and tear on resources
A vulnerability management program must scan for and identify vulnerabilities; then, it needs to set up and implement an action plan to address and prevent any harm they may cause.
This is an incredibly important process because vulnerabilities can lead to leaks or seizure of data by hackers. This, in turn, can cause irreparable financial and reputational harm.
The DHS’s Recommended Vulnerability Management Process
For companies looking to develop a robust vulnerability management policy, there’s no shortage of guidelines available. One of the best is a supplemental guide developed by the Department of Homeland Security (DHS) as part of the Cyber Security Evaluation Program (CSEP).
The DHS’s guide is designed to help organizations prepare for their Cyber Resilience Review (CRR) — a robust assessment of a company’s cybersecurity. Specifically, the CRR focuses on operational resilience, which comprises the various ways in which a company addresses risks.
Additionally, DHS’s guide is intended to encourage and assist companies in implementing standards established by the NIST, specifically the Cybersecurity Framework (CSF).
Its scheme, detailed below, is based on the CSF.
Step 1: Define Your Vulnerability Management Strategy
The first step comprises top level preparatory work. It defines the overall shape and direction of the vulnerability management process, including limits and boundaries, which will determine the steps to follow.
This step may be returned to later, but it sets the groundwork for everything else.There are three main components to it:
- Determine scope – Selecting the subjects and objects of assessment and analysis aimed at identifying, addressing, and mitigating vulnerabilities.
- Document assets and resources to analyze
- Determine environment for analysis
- Determine methods – Selecting the specific practices and specifications that the entire vulnerability management process will entail.
- Determine regulatory requirements
- Determine operational requirements
- Determine legal requirements
- Determine resource-specific requirements
- Prepare resources – Selecting the resources within your organization that will be operationalized to carry out the plan determined in the next step.
- Determine stakeholders’ roles
- Determine budgetary constraints
At this point, your organization is ready to establish a more concrete plan of action.
Step 2: Develop Your Vulnerability Management Plan
Here, the overall strategy developed in the first step is converted into an actionable plan, including concrete steps for implementation. This step completes and delivers on the preparatory work above and then directly transitions into implementation.
This step has eight components or sub-steps:
- Define plan – Building out the specific necessary elements needed to turn the direction of the strategy into particular, enforceable actions.
- Build vulnerability management team
- Coordinate with risk management team
- Define timelines for remediation
- Standardize documentation
- Define routine procedures
- Define proactive measures
- Define metrics – Illustrating the specific measures that will be used to determine the effectiveness of your vulnerability management process in ongoing assessment.
- Define training – Establishing the specific requirements and elements that will inform training and education programs for two distinct populations.
- Develop training for general end users
- Develop training for vulnerability management practitioners
- Identify tools – Selecting the specific hardware, software, and other resources that will be used to identify, analyze, and address vulnerabilities.
- Identify tools for all objects of analysis
- Test fidelity and efficacy of tools
- Publish list of authorized tools
- Define protocols for exceptions
- Review tools periodically
- Identify inputs – Selecting the specific sources of data that will inform the entire vulnerability management process.
- Identify all assets, beyond subjects/objects of analysis
- Identify sources of information about vulnerabilities
- Define roles – Determining who within the organization will be responsible for what given responsibilities throughout the course of vulnerability management.
- Assign monitoring responsibilities
- Assign remediation responsibilities
- Assign authoritative responsibilities
- Engage stakeholders – Notifying top level executives of their role and preparing them to take or authorize actions that contribute to the process of vulnerability management.
- Plan for revision – Building in flexibility and room for adjustments as the plan is implemented and assessed moving forward, including methods to:
- Identify actionable changes
- Review relevant changes
- Update practices, tools, etc.
- Update information sources
Once all of this concrete planning is complete, you’re ready to set it in motion.
Step 3: Implement Your Analysis and Resolution Capability
This step is the initial transition from planning into direct action. Here, your company actually sets its plan into motion and actively mobilizes its resources to assess and respond to vulnerabilities. Once initiated, this step is ongoing.
There are seven main sub-steps involved:
- Train personnel – Ensuring education and awareness of vulnerabilities and proper protocols for encountering them across your staff.
- Educate staff on general approach and processes
- Educate staff on particular tasks required
- Conduct assessment – Monitoring identified assets and testing for vulnerabilities, according to specifications determined in prior steps.
- Scan for vulnerabilities
- Assess identified vulnerabilities
- Record vulnerabilities – Baseline recordkeeping of vulnerabilities identified, including robust protection of records (since they detail your weaknesses).
- Log vulnerabilities into secure repository
- Safeguard access to repository
- Categorize and prioritize – Determining the nature and criticality of vulnerabilities identified, as well as the order in which they should be addressed.
- Define relevance of vulnerabilities
- Determine proper resources for mitigation
- Prioritize according to risk and process of mitigation
- Manage exposure – Limiting, reducing, and ideally eliminating immediate compromise or impacts thereof for any and all identified vulnerabilities.
- Determine methodology for disposition
- Test and deploy disposition method(s)
- Assess resolution of exposure
- Determine effectiveness – Monitoring the impact of any and all methods used to manage exposure and expanding upon these, as necessary.
- Evaluate present efficacy
- Update repository with effects
- Adjust and repeat disposition (if needed)
- Analyze root causes – Implementing root cause analysis (RCA) to determine whence vulnerabilities sprung and how to proactively avoid them moving forward.
- Perform RCA to determine possible causes
- Develop proactive, corrective measures
- Update vulnerability repository
- Monitor efficacy of proactive measures
Once the action plan has been implemented, it’s time to test and correct it (if necessary).
Step 4: Assess and Improve Your Capabilities
Finally, this step is another ongoing process of analysis and evaluation. It measures the success of all prior steps and scaffolds for changes to be made throughout the entire process.
Like the first step, the final step includes three main components:
- Determine status – Documenting the actual, practical reality of your vulnerability management process in action (real outcomes, not intended results).
- Review strategy
- Determine stakeholder needs
- Determine current outcomes
- Analyze program – Assessing the efficacy of your strategy and plan, as well as the active implementation of the latter (in light of the former).
- Collect and categorize all outputs of steps 2 and 3
- Analyze, based on measures determined during step 2
- Determine current risk, post-implementation
- Improve capabilities – Correcting flaws in the plan or implementation thereof.
- Address deficiencies by producing alternative measures
The vulnerability management process doesn’t end at its last step. Instead, the cycle begins again, and the last step feeds back into the first. Vulnerability management is ongoing.
Alternative Vulnerability Management Policy Schemes
Importantly, the DHS’s recommended vulnerability management scheme detailed above is not a mandatory guideline that companies must follow. It’s not even the only top level vulnerability management process recommended by government or NGO cybersecurity advisors.
There are many high quality alternative schemes to consider.
- Preparation for vulnerability management
- Detailed scan and analysis of all vulnerabilities
- Definition of necessary remediating actions
- Implementation of remediating actions
- Rescan and assessment of efficacy
- Discovery and inventory of network assets
- Prioritization of assets into business units
- Assessment of baseline risk profile
- Reporting on level of vulnerability
- Remediation of identified risks
- Verification and follow-up audits
Companies can pick and choose the elements of a given framework that work best for them and create a hybrid threat and vulnerability management policy tailored to their own needs.
How to Build a Threat and Vulnerability Management Policy
Any company looking to build out a vulnerability management policy should utilize all the tools at its disposal. The first among these are tools made readily available by governmental entities.
Specifically, there are two major programs available from NIST:
- SCAP – The Security Content Automation Protocol is a unified set of standards for reporting on vulnerabilities and risks. Specifically, it provides template language to categorize, and analyze vulnerabilities, including the following components:
- Common vulnerabilities and exposures (CVE) and software ID tags (SWID)
- Common configuration enumeration (CCE) and platform enumeration (CPE)
- Extensible configuration checklist description format (XCCDF)
- Open vulnerability and assessment language (OVAL)
- Asset identification (AID) and reporting format (ARF)
- Trust model for security automation data (TMSAD)
- Common vulnerability scoring system (CVSS)
- Open checklist interactive language (OCIL)
- NVD – The National Vulnerability Database is a central repository for all known risks. It’s informed by SCAP reports, and the NVD’s own Common Weakness Enumeration Specification system (CWE) to categorize vulnerabilities into types. Examples include:
As useful as these tools can be, they’re far from the only options available to companies looking to build their vulnerability management policy and systems. Professional help from reputable cybersecurity service providers makes robust vulnerability accessible to any company.
How Professional Assistance Can Bolster Vulnerability Management
Managed IT and cybersecurity services provide solutions to companies of all sizes. This is especially important for the vast majority of small- to medium-sized enterprises for whom IT and cybersecurity departments are overburdened—and vulnerability management is no less vital.
To that effect, RSI Security’s suite of vulnerability management services covers all of the steps and components detailed above, with a focus on ongoing and preventative measures:
- Continuous vulnerability assessment scans
- Threat and vulnerability lifecycle management
- Internal and external penetration testing
- RCA and patch management
RSI Security is your first and best option for developing and implementing a robust threat and vulnerability management policy at a reasonable price point.
Professional Vulnerability Management and Cybersecurity
Here at RSI Security, we’re not just committed to helping you manage your vulnerabilities. We’re also well equipped to assist you with any and all cyberdefense measures you want to enact.
Our team of experts has provided cybersecurity solutions to companies of all sizes, in all industries, for over a decade. There’s no way to completely eliminate risk; the best you can do is manage it effectively. And having an actionable plan in place is the best way to stay safe.
To see just how powerful and protective your vulnerability management policy and overall cyberdefenses can be, contact RSI Security today! We’ll make sure vulnerability management is integrated throughout your entire cybersecurity architecture, always firing on all cylinders.