The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Mike Berard - eSecurityOnline

Students: Spring 2023, unless noted otherwise, sessions will be virtual on Zoom.

A Vulnerability Management Maturity Mode

Apr 17, 2002


The Vulnerability Management Maturity Model (VM3) reviews security knowledge, deployment and accountability, and the fact that vulnerabilities are not just technical in nature. Vulnerabilities also include people and process failures. While most security professionals understand technical vulnerabilities (i.e., operating systems exposures, Trojan horses, etc.) and develop a security strategy and methods to address them. This is just the first step to a mature security. The people and process aspect of vulnerabilities is just as important.

This first stage of the Vulnerability Management Maturity Model deals with how effectively companies can obtain the security information they need. In most cases, security knowledge is obtained from very diverse sources. Hacker alerts, in particular, are a common part of many publicly and commercially available Internet list services. Knowledge that is available for general distribution is not in a form that can be deployed in an enterprise environment. In addition to technical vulnerability information, proper configuration standards need to be addressed and developed. Most companies have adequate technical resources to manage their protecting systems (i.e., firewalls, IDs, etc.), but how do you extend that knowledge to the serving systems (mail servers, Web servers, etc.) with multiple operating systems and complex architectures that support business critical applications?

Good knowledge is a great starting point for managing risks exposed by misconfiguration of systems, the existence of inappropriate code or absence of policies that govern people and their behavior. However, without a responsive, repeatable deployment process, getting adequate coverage by having good knowledge becomes infeasible. The VM3 contends that good knowledge without execution is only slightly better than no knowledge at all.

The ability to track what changes have been made to computer systems and determine if an employee has read and acknowledged a policy is step one in the accountability stage. The extension of governance to include an entire critical infrastructure, made possible by the feasibility of an automated engine, is step two. The final step involves measuring compliance to the process by conducting reviews of actual systems to ensure a correlation of the results of discovery process with the actual system inventory.

About the Speaker

eSecurityOnline content development and assurance is the main focus of Mike Berard, vice president of content management. In carrying out his duties, he is committed to ensure the eSO Framework delivers a comprehensive, validated and timely knowledgebase that IT professionals can rely on to drive their risk, configuration and vulnerability management processes. He has more than 13 years experience in industry-related consulting and is an expert in project and knowledge management. He also has extensive experience in the development of eCommerce, information technology and business strategy. Prior to joining our company, he was a member of E&Y\'s professional consulting services organization. His industry consulting has spanned both the public and private sectors and has included work in the government, health care, telecom, utilities, consumer products and distribution industries, as well as with professional services.

Ways to Watch


Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!