Vulnerability Management
This section is under development
Contents
Objective
The objective of Vulnerability Management can be described as identifying, prioritizing and mitigating weaknesses in assets which can be exploited. This service is currently listed at #3 in the CIS Top 20 Controls (CIS, 2018)
A vulnerability is defined in the ISO 27002 standard as “A weakness of an asset or group of assets that can be exploited by one or more threats” (International Organization for Standardization, 2005) Gartner defines Vulnerability Management as "Vulnerability management is a process that can be implemented to make IT environments more secure and to improve an organization's regulatory compliance posture."
Process
Tripwire states "The vulnerability management process is a continuous information security risk undertaking that requires management oversight. There are four high-level processes that encompass vulnerability management: discovery, reporting, prioritization and response."(Bisson, 2018)
Gartner defines the processes as follows: Policy, baseline, prioritize, shield (read:Compensating Controls), mitigate and maintain(Gartner, 2005)
Tooling
Ticketing
Reporting
Staffing
Budgeting
Communications
Documentation
Lessons Learned | Pain Points
Citations
Bisson. 2018. "What is Vulnerability Management Anyway?". Retrieved from https://www.tripwire.com/state-of-security/vulnerability-management/what-is-vulnerability-management-anyway/ Center for Internet Security. 2018. CIS Controls™. Retrieved from https://www.cisecurity.org/controls/ ISO/IEC. 2015. Information technology -- Security techniques – Code of practice for information security management. ISO/IEC 27002 Tom Palmaers. 2013. Implementing a vulnerability management process. Retrieved from https://www.sans.org/reading-room/whitepapers/threats/implementing-vulnerability-management-process-34180 Qualys. 20018. Vulnerability management for dummies. Chichester: John Wiley & Sons, 2008. eBook.
