A Vulnerability Management Maturity Mode
Mike Berard - eSecurityOnline
Apr 17, 2002
AbstractThe Vulnerability Management Maturity Model (VM3) reviews security knowledge, deployment and accountability, and the fact that vulnerabilities are not just technical in nature. Vulnerabilities also include people and process failures. While most security professionals understand technical vulnerabilities (i.e., operating systems exposures, Trojan horses, etc.) and develop a security strategy and methods to address them. This is just the first step to a mature security. The people and process aspect of vulnerabilities is just as important.
This first stage of the Vulnerability Management Maturity Model deals with how effectively companies can obtain the security information they need. In most cases, security knowledge is obtained from very diverse sources. Hacker alerts, in particular, are a common part of many publicly and commercially available Internet list services. Knowledge that is available for general distribution is not in a form that can be deployed in an enterprise environment. In addition to technical vulnerability information, proper configuration standards need to be addressed and developed. Most companies have adequate technical resources to manage their protecting systems (i.e., firewalls, IDs, etc.), but how do you extend that knowledge to the serving systems (mail servers, Web servers, etc.) with multiple operating systems and complex architectures that support business critical applications?
Good knowledge is a great starting point for managing risks exposed by misconfiguration of systems, the existence of inappropriate code or absence of policies that govern people and their behavior. However, without a responsive, repeatable deployment process, getting adequate coverage by having good knowledge becomes infeasible. The VM3 contends that good knowledge without execution is only slightly better than no knowledge at all.
The ability to track what changes have been made to computer systems and determine if an employee has read and acknowledged a policy is step one in the accountability stage. The extension of governance to include an entire critical infrastructure, made possible by the feasibility of an automated engine, is step two. The final step involves measuring compliance to the process by conducting reviews of actual systems to ensure a correlation of the results of discovery process with the actual system inventory.
About the SpeakereSecurityOnline content development and assurance is the main focus of Mike Berard, vice president of content management. In carrying out his duties, he is committed to ensure the eSO Framework delivers a comprehensive, validated and timely knowledgebase that IT professionals can rely on to drive their risk, configuration and vulnerability management processes. He has more than 13 years experience in industry-related consulting and is an expert in project and knowledge management. He also has extensive experience in the development of eCommerce, information technology and business strategy. Prior to joining our company, he was a member of E&Y\'s professional consulting services organization. His industry consulting has spanned both the public and private sectors and has included work in the government, health care, telecom, utilities, consumer products and distribution industries, as well as with professional services.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.