Aqss

Vulnerability Management (VM)

Historically vulnerability management used to be a function of server operations and application support groups. Over time, with the emergence of new technology giving rise to online data-sharing concepts and cloud computing, the lines, and boundaries between on-prem and cloud-based assets started to blur. Additionally, with the proliferation of mobile devices accessing company networks and the concept of BYOD, it became increasingly harder for asset/app owners to get their hands around the roles and responsibilities on keeping all the devices and apps at the latest patch levels while mitigating the production demands on systems. In the present day, it has become not only unavoidable but mandatory to treat Vulnerability Management as a separate entity rather than a function of some existing operations group. Most enterprise businesses already have some variant of Vulnerability Management programs in place though few have reached maturity due to the relatively liquid nature of the IT infrastructure landscape and ever-evolving nature of threats and vulnerabilities.
IT security regulations are increasingly the norm demonstrating a standard of care in protecting sensitive data. To serve this standard, several regulatory bodies have mandated the creation of vulnerability management programs. Examples include the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and Federal Energy Regulation Committee (FERC).

Vulnerability Management

 

A good vulnerability management program should have the following components:

  • Identifying/tracking assets (build asset inventory)
  • Categorizing assets into groups
  • Scanning assets for known vulnerabilities
  • Ranking risks
  • Patch management
    • Test patches
    • Apply patches
  • Follow-up remediation scan – confirms vulnerability addressed.

Regardless of what your vulnerability management program looks like, we can help.