The discovery phase should find every asset your network and build a knowledge database other processes can use. Reporting of the data found during discovery generally provides a number of different outcomes. Reports should create a prioritization matrix that feeds into processes. Prioritization is a critical risk management process that ranks known risks according to a predefined set of characteristics. The goal of prioritization is to create a customized list of what to tackle first, second, third and so on. Risk response is the approach an organization chooses to address the known risks. Addressing risk falls into three categories: remediate, mitigate or accept (Palmer, 2013). Many organizations perform scans on a quarterly which only provides a snapshot at that point in time. The main purpose of a vulnerability management process is to detect and remediate vulnerabilities in a timely fashion. If you are only scanning quarterly, then you cannot remediate vulnerabilities in a timely manner. There should be roles and responsibilities identified within an organization when building a vulnerability management process (Palmer, 2013). The roles that should be identified are:
a. Security Officer: The security officer owns the vulnerability management process. They design the process and ensure it is implemented as designed.
b. Vulnerability Engineer: They configure the scanner and schedule the various vulnerability scans.
c. Asset Owner: They are responsible for the IT assets that are being scanned.
d. IT System Engineer: They are responsible for implementing remediating actions defined as a result of detected vulnerabilities.
Once the roles are defined the process consists of five phases. Preparation, scans, define remediating action, implementing remediating actions, and rescanning. The first phase in a vulnerability management process is the preparation phase.
Start with a small scope to prevent being overwhelmed by thousands of vulnerabilities. This can be done by starting out with a few systems, or by limiting the results to critical\high. This phase is the responsibility of the security officer. It is important to obtain an agreement which systems will be included or excluded from the vulnerability management process (Palmer, 2013). Once the preparation phase is complete, the initial vulnerability scans are performed. If any issues which occurs during the scans they should be recorded since it could happen again in future scans. Vulnerability scanning tools offer a wide range of reporting options. It is necessary to use them to create a various number of reports. the security officer will be interested in the risk the organization is currently facing, this risk includes number of vulnerabilities detected and the severity/risk rating of the identified vulnerabilities.
Once the initial scan is done, the next phase is defining remediating actions. This involves the asset owner, security officer, and the IT department. The security officer will analyze the vulnerabilities, determine the associated risks and will provide input on
risk remediation. The IT department will analyze the vulnerabilities from a technical perspective and answer questions such as if patches are available or whether the configuration can be hardened. Asset owners should include a timeline in their action plan indicating when these remediating actions will be implemented. The remediation timeframe should be in line with the level of risk detected (Palmer, 2013). The next phase is implementing remediating actions. They should be executed inline within the agreed timeframe. If something happens it should be documented. Alternative means of remediation should come from the security officer and the IT department. Once all actions have been taken it is time for the final phase, Rescan. Once a vulnerability is remediated, a rescan needs to be done to verify that it is no longer on the system. The scan will be done using the same tool, with an identical configuration as the initial scan. This is important as it prevents inaccurate results. The same type of reports are also generated. Vulnerability management is a continuous information security risk process that requires management oversight. In order to ensure a successful vulnerability management program, attention should be paid to a number of aspects. First of all roles and responsibilities should be clearly assigned. Then select a vulnerability scanning tool that suits the needs of your organization.