Vulnerability management is the practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities. Vulnerability management is integral to information security and information systems — and despite the similarity in terms, it is not the same as vulnerability scanning.
Vulnerability scanning consists of using a computer program to identify vulnerabilities in networks, computer infrastructure or applications. Scanning is an important component of vulnerability management, but it is only one part of vulnerability management, which also includes vulnerability assessments, risk assessments, penetration testing, and remediation.
A vulnerability management process should be part of your organization’s effort to control information security risks. It will allow you to obtain a continuous overview of vulnerabilities in your IT environment as well as the risks associated with them.
There are five steps to an effective vulnerability management process, including:
- Vulnerability scan
- Define remediating actions
- Implement remediating actions
ISO and vulnerability management
Established in 1946, the International Organization for Standards (ISO) develops and publishes internationally agreed upon standards for information security.
ISO standards are developed by experts, and are defined as “a formula that describes the best way of doing something.” From making a product, to delivering a service or supplying materials, ISO standards cover a huge range of activities.
An organization is ISO-compliant when it has chosen one or more ISO standards and followed the best practices within them. ISO certification, however, requires internal audits from third-party assessors using ISO’s Committee on Conformity Assessment (CASCO) criteria.
The ISO/IEC 27001:2013 standard focuses on creating an information security management system (ISMS) that protects confidentiality, integrity, and availability of information as part of the risk management process.
Under ISO 27001:2013, a vulnerability is defined as “a weakness of an asset or control that could potentially be exploited by one or more threats.” A threat is defined as any “potential cause of an unwanted incident, which may result in harm to a system or organization.”
Essentially, a vulnerability arises when a threat finds a weakness it can exploit.
Weaknesses are flaws that occur during design, implementation, configuration, or operation of an asset or control. They are created either intentionally or by accident. While some weaknesses may be easy to identify and remediate, others may require more time, effort, and resources to correct.
ISO 27001 creates a set of rules giving managers discrete steps to follow to organize their information system and assure ongoing security compliance to avoid security incidents.
Through control A.12.6.1, ISO 27001 can help your organization better prepare and mitigate weaknesses in your information security systems via Technical Vulnerability Management.
The ISO 27001 approach for managing vulnerabilities includes three pinnacles in control A.12.6.1:
Timely identification of vulnerabilities
The main objective of a vulnerability management process is to detect and remediate vulnerabilities in a timely fashion. Unfortunately, many organizations don’t perform vulnerability scans frequently enough. Performing scans on a quarterly or annual basis only provides a snapshot of your operating systems only at that point in time.
The sooner you discover a vulnerability, the sooner you can remediate it. Conducting regular vulnerability scans will help your organization to identify any vulnerabilities to your software or information security systems.
Assessment of your organization’s exposure to a vulnerability
Assigning severity levels to vulnerabilities once they have been identified will help you decide which vulnerabilities require immediate action. A risk assessment will assign severity to any vulnerabilities identified during a vulnerability assessment.
Once you have completed a risk assessment, you will need to decide whether to remediate vulnerabilities, or accept the risks.
Proper measures considering the associated risks
After you have identified the most critical vulnerabilities, create a risk treatment plan by considering the risk level associated with each vulnerability. Think about the actions you need to take and allocate resources to remediate your most critical vulnerabilities appropriately.
ISO 27002 best practices for security control A.12.6.1
ISO 27002:2013 contains guidelines for organizational information security standards and your information security policy. This includes the selection, implementation and management of controls taking into consideration the organization’s information security risk environment.
ISO 27002 includes the following best practices for security control A.12.6.1:
Inventory of assets
Effective vulnerability management depends on your knowledge of your information assets, including software manufacturer, software version, where the software is installed, and who is responsible for each piece of software.
Asset management is a crucial component of an effective vulnerability management process, and should be delegated to the asset owner.
Establish roles and responsibilities
It is critical to define who will do what to assure suitable tracking of assets, because vulnerability management requires many different activities (monitoring, risk assessment, correction, and so forth).
When building a vulnerability management process, the following roles should be identified within your organization:
- Security officer. This person is the owner of the vulnerability management process, and designs the process and assures it is implemented as designed.
- Vulnerability engineer. This person is responsible for configuring the vulnerability scanner and scheduling the various vulnerability scans.
- Asset owner. This person is responsible for the IT asset that is scanned by the vulnerability management process, and decides whether identified vulnerabilities are mitigated or their risks are accepted.
- IT system engineer. This person is typically responsible for implementing remediation actions defined as a result of detected vulnerabilities.
Timeline for reaction
Define a timeline to react to notifications of potentially relevant technical vulnerabilities, and deal with vulnerabilities through defined procedures.
Maintain an audit log for the process carried out and for maintaining traceability.
Aligning the system with incident management
Align your vulnerability management process with incident management activities, so that you can communicate data on vulnerabilities to the incident response function and provide technical solutions to be carried out in the event of an incident.
Continual improvement through corrective action and preventive action (CAPA)
Assure that controls continue to work as required and new and emerging threats and vulnerabilities are identified and remediated.
Ideally, your vulnerability management program should contribute to your organization’s business continuity — that is, the plan you have to deal with difficult situations so your organization can continue to function with as little disruption as possible.
Identifying, prioritizing, and treating vulnerabilities as quickly as possible will assure that your organization avoids potential risks that could be catastrophic to your business continuity management.
Vulnerability management and GRC
An effective vulnerability management process isn’t the solution to all of your cybersecurity problems, but it is one of the main methods to prevent cyber threats and exploitation of information security vulnerabilities.
Regular vulnerability assessments, vulnerability scanning, penetration testing, and risk assessments should all be routine parts of your organization’s vulnerability management process, because the risk environment changes over time.
Likewise, new security controls should be implemented as needed to address new risks or misconfigurations that could threaten your organization.