For a more visual presentation, download the Cybersecurity Committee’s Step Four infographic here. Otherwise, read the blog below!
Contrary to popular belief, a Vulnerability Assessment is not an Information Technology Function. Information Technology is not synonymous with Information Security. Information Technology personnel are responsible for the day-to-day operation and up time. How may of you would classify your IT person as a “Mac Gyver? The person that can make anything work. It has often been said that the IT person has it covered. Do they really have it covered? Operational IT people live in the “Availability” world. If the system is up and functional then they are doing their jobs. As a rule, temporary, on the fly solutions tend to remain permanent and may introduce risk into your organization.
Information Security professionals are a bit of a different breed. They have a completely different point of view, they live in the world of “Confidentiality” and “Integrity” while balancing “Availability”. Information Security is really all about assessing and mitigating risk according to the risk appetite of the organization.
Your first Vulnerability assessment provides a baseline and gives your organization an accurate snapshot of the current Cyber Security Maturity status. Vulnerability Assessments should be conducted at regular intervals because the threat landscape is constantly changing. These assessment are a key part of your organization’s Cyber Security Posture.
An assessment is composed of four main parts.
Technical vulnerabilities are discovered by using automated vulnerability assessment tools such as Tenable Nessus, Rapid 7 and Greenbone Vulnerability Server for example. These scanners have the ability to discover thousands of confirmed, common vulnerabilities that are known to exist in Operating Systems, Applications, Server software and Firmware. The commercial versions of these products also provide detailed technical reporting.
Some of these scanners are open source, but a majority of them are commercial, licensed software. The commercial versions of these scanners are usually sold by subscription and your organization will incur annual fees to maintain licensing and receive vulnerability updates.
In some cases, manual technical assessments are used to examine systems for misconfiguration and less commonly known vulnerabilities. This is sometimes referred to as penetration testing. Penetration Testing methodology is designed to compromise the security of a system.
Your risk assessment should be used as a guide to determine which Cyber Security Controls should be implemented. These controls should be outlined in the System Security Plan for each system that your organization is using. A Controls assessment confirms that the selected security controls are effective for the desired outcome.
An Executive Summary should be furnished to organizations management team. This report should give an high level explanation of the state of the organization’s Cyber Security Maturity. It should address critical or severe security gaps in non technical language and give a high level mitigation overview.
Remediation Plan with Actions and Milestones
A more technical report can be given to the Technology Leaders in the organization. This report should provide specific and granular information as to the vulnerabilities, severity and remediation steps required. A plan of actions and milestones should be drafted to ensure that mitigation efforts directed and maintain momentum.
A Vulnerability Assessment is a key component in your organization’s overall Information Security strategy. These assessments provide a view into your organization’s critical business systems to identify and mitigate the associated risks. It is up to your management team to determine if you have the resources, both monetarily and talent, to effectively perform a Vulnerability Assessment. Assessments that are performed using internal company resources are useful for establishing baselines and to provide ongoing assessment. It is highly recommended that regularly scheduled vulnerability assessments are performed by an agnostic third party to independently verify internal results and confirm mitigation efforts.
To learn more from the PSA Cybersecurity Committee, visit PSAEducation.com!