Compliance is critical, necessary and not evil. Every organization wants to meet the compliance requirements and doing risk assessments, vulnerability management are key to achieve critical requirements.
Most of the times the organizations just see Vulnerability Management as another checkbox in pursue of compliance and forget or ignore many different aspects or they don’t have concrete foundations to carry out a well drilled and oiled Vulnerability Management process and the process complicates or fails mid-way. Our job is to make the process as smooth as possible and sometimes it is better to start at step 0.
The foundation of every comprehensive Vulnerability Assessment & Management is Asset Management. Asset Management clarifies which assets belong to which business unit inside the organization, are they relevant or are in process of decommissioned?, who is responsible for taking care of these assets? Who is the owner of these assets? We have to ask these questions so tomorrow when there is a critical vulnerability which needs immediate patching, the security operations team does not go in all directions to find that asset’s owner.
A comprehensive asset management exercise can reduce upto 10-20% of assets which are incorrectly tagged or are getting decommissioned which subsequently reduces the number of vulnerabilities and when you know who is the owner of an asset or who applies patches to the assets, your work is much more minimized.
On how to do asset management varies from organization to organization, most of the organizations use asset management tools so that makes getting various kinds of reports and information regarding the assets real easy but the challenge remains whether the information is updated or outdated. If the organization uses excel sheets to record their assets, well that takes the game to a whole new level.
Once you know these are the assets in scope and are validated, Vulnerability Management exercise is a walk in the park.
So now we know the first step in the vulnerability Management process, I will be discussing the next steps in my future post.
Views by Gurpreet Bajaj