Six Steps in Effective Vulnerability Management
For IT enabled organizations, servers, storage devices, desktops, laptops, etc., are their critical assets, as it
is where organizations’ critical and vital digital information generally reside. These systems are
therefore,vulnerable to cyber-attacks, both internal and external.It is very important for organizations to
take necessary measures to protect their assets from any kinds of risks through a proper implementation
of an effective vulnerability management solution. Such a move would not only guarantee a secure IT
environment but also improve the company’s regulatory compliance position. Wikipedia defines
Vulnerability Management as “cyclical practice of identifying, classifying, remediating, and mitigating
vulnerabilities.”Hence vulnerability management is not a point-in-time event but an on-going process
that protects company’svaluable data, customer information, critical network assets, and intellectual
The need for an effective vulnerability management solution gains importance with the fact that
organizations, can no longer afford to remain complacent in the face of Government regulations, financial
implications, and loss of reputation.For instance, in healthcare compliance with HIPAA and HITECH are
necessary to avoid penalties.
Gartner, an information technology research and advisory firm, defines six points to help organizations in
evolving an effective vulnerability management program.
1. Define Policies
As a first step,organizations must define their information security and compliance policies and actions
steps to reach and maintain the desired state of security and compliance related to their environment.
This includes at a fundamental level, determining device configurations, user identity, and resource
access. There are more.
2. Baseline the Environment
After defining the policies, organizations must gauge their current security state with reference to their
environment and baseline the threshold limits.
Once the vulnerabilities are identified, organizations must prioritize thembased on a combination of
riskimpacts and efforts.
In the meantime,organizationscan reduce the effect of damage caused by these vulnerabilities by shielding
the environment using desktop and network security tools.
Organizations must choose mitigation strategies and activities to manage external threats, and internal
security posture,based on critical-asset classification. These mitigation activities should address and
eliminate the root causes of vulnerabilities. This can be done through patching vulnerable services,
changing vulnerable configurations, or making application updates to remove vulnerable code.
6. Maintain and Monitor
Since an organization’s computing environment, security policies,and practices change over time, based
on assessed vulnerabilities and their impact, steps should be taken to ensure continuous monitoring of the
environment for any significant changes of significant impact.
Also read on - IT Compliance, Threat management