How to Implement a Vulnerability Management Process

Software solves many problems and improves many processes, but the code software depends on is never perfect. That fact of life leaves your software and the data within open to new vulnerabilities including hacking, exploitation, and theft.

Because of this, businesses must task their security team to create a vulnerability management solution that can identify, assess, remediate, and report code vulnerabilities. The goal: to prevent unwanted access to your software that can cause expensive, punitive, or even devastating damages to your business.

Why is vulnerability management required?

First, understand that your business will encounter a vulnerability; no system is immune. For some organizations, vulnerabilities have minimal impact. For most, the impact is anywhere from moderate to debilitating.

Left unaddressed, vulnerabilities expose your business to costly lawsuits, reputation-ending data breaches, or even closing your doors. Without the foresight to anticipate and manage vulnerabilities in a timely—and many instances preventable—manner, you leave the survival of your company up to chance.

Broadly speaking, vulnerability management has two components: investing in ISO certification, and setting up a vulnerability management system. 

Investing in ISO certification. While ISO certification isn’t required, being ISO 27001 certified demonstrates that your business has built a disciplined, systematic approach to managing sensitive data and avoiding data breaches. Certification instills trust among customers and staff as they provide sensitive PII data to your company. To get certified, you will need to create your own ISO certification checklist.

Establishing a vulnerability management system. This step is crucial for the unavoidable fact that a vulnerability will arise eventually. By establishing a risk management plan, you may be able to mitigate or even prevent serious legal and financial repercussions as a result of a vulnerability. 

What are the steps in the vulnerability management process?

Working with your security team, you can implement a comprehensive vulnerability management program that suits your organization, needs, and data infrastructure. This typically happens  in four phases:

1. Identify: The most important stage of vulnerability management is actually identifying the issue. You can identify vulnerabilities in two ways. 
   • Proactively: Many companies choose to invest in cybersecurity tools such as scanners or penetration testing tools. These vulnerability detection tools allow you to automate a cadenced, code-base audit and search for ways to break into your system to expose new vulnerabilities.  Vulnerability scanning is akin to a detective poking around for flaws in the background. When an issue is discovered, the tool will identify the vulnerability’s severity for developers to remediate accordingly. 
   • Reactively: In the absence of a cybersecurity tool, companies could identify and handle vulnerabilities on a case-by-case basis. In some cases that will require basic patching from a developer; n in other instances, much more. Most common vulnerabilities will show themselves eventually, by either a customer or employee identifying an issue. This approach is much less systematic and efficient and presents a high risk for your company—since the wrong hack or flaw can cause an incredible amount of damage as every minute passes.
2. Assess: Identified vulnerabilities range significantly in their severity, so it’s critical to have a system that assesses their impact. Start by creating a set of criteria in advance so that once a vulnerability is identified, you can assess its projected impact quickly and prioritize accordingly. 

Consider using risk ratings or a CVSS (common vulnerability scoring system) to provide more perspective. For example, a  vulnerability scanning tool or penetration testing tool may flag hundreds of results, but only a few may actually apply to your company. Risk ratings or CVSS can help you weigh the costs and benefits of each scenario: Is this vulnerability something minor that we can live with? Is it something we can patch to mitigate the impact? Or is it something that could cause us not to be ISO Compliant? And to what extent?

Start by identifying what your greatest threats are. This will involve asking yourself tough questions such as, “What’s more critical: getting our site back up, or protecting customer data? Shielding financial documentation, or exposing proprietary intelligence?” This process should help you determine which vulnerabilities are relevant to your business and actually worth fixing.

1. Remediate: Having the right vulnerability response plan (and personnel) in place for treating each vulnerability could spell the difference between intercepting a vulnerability before it’s a problem or having a substantial security breach. First, identify who the lead is on remediation. Second, identify the prioritization of that vulnerability. 

Below is a set of questions to ask as you remediate a vulnerability:

1. • Who is responsible for the part of the system that contains the vulnerability?
   • Must the issue be remediated right now, or can go into the queue? 
   • Upon remediation, does the patch need to be validated and reviewed, or can it be deployed immediately? 
   • Does anyone need to be notified, such as our customers or team? 
   • Has this vulnerability been exploited by anyone?
   • Do you need to disable the functionality of your product to remediate safely?

Regardless of the nature of your business, by creating this criteria now, you’ll have a clear plan of action for prioritizing, triaging and treating each vulnerability as it is identified and assessed. 

1. Report: You should also leverage a vulnerability risk assessment tool to run continuous checks, and to keep reports that detail which vulnerabilities were identified and how they were remediated. By flagging trends in flaws and vulnerabilities,  your team might be able to identify a greater issue in the code and build stronger code over time—protecting your software, your data, and your business from security risk. Moreover, when a vulnerability appears again sometime in the future, detailed reports provide a record of what remediation steps worked before, which ones didn’t, and how to handle the threat most effectively. 

What are the roles and responsibilities in the vulnerability management process?

The size of your security team will vary depending on the overall size of your company, but it’s critical that each step listed above has a corresponding owner (and in many cases, a team) to support it. Below are the roles and responsibilities required to carry out effective vulnerability management:

• IT Security Officer: You will need someone to own the entire information security process. This person will design your vulnerability management process, determine which tools your company invests in, champion your ISO Certification, own the reporting function, and have ultimate responsibility for the security of your IT department. 
• Vulnerability Engineer: This person is responsible for implementing, managing, and using the vulnerability scanning and penetration tools to run checks on your system. He or she is responsible for the identification of vulnerabilities, big or small.
• Vulnerability Assessment Officer: This person designs and oversees the criteria by which your company determines, ranks, and prioritizes the remediation of vulnerabilities. He or she works with the vulnerability engineer to review their scans.
• System Administrator or System Engineer: This role may often have a team of “asset owners” responsible for mitigating and remediating identified vulnerabilities according to the vulnerabilities’ severity and priority. 

Managing sensitive data comes with tremendous and inevitable risk. How your business chooses to prevent, assess, and manage that risk, however, is entirely up to you. To learn how ZenGRC can help you get ISO certified and implement a comprehensive vulnerability risk management plan, contact us today.