[ISN] Vulnerability Management Payoff Requires Road Map

From: InfoSec News <alerts_at_private>
Date: Mon, 16 Mar 2009 02:16:28 -0600 (CST)
http://securitywatch.eweek.com/flaws/vulnerability_management_payoff_requires_roadmap.html

By Matthew Hines 
eWEEK Security Watch
March 15, 2009

Vulnerability management may be the next big thing in terms of IT 
security strategy, but deriving the maximum value out of your efforts 
requires hard work and a comprehensive plan, industry insiders 
recognize.

Speaking at the SOURCE Boston conference this week, scanner maker 
Tenable Security's Carole Fennelly outlined some of the best practices 
that organizations should observe as they attempt to identify and 
remediate security weaknesses that exist throughout their IT systems and 
applications.

While vulnerability scanners such as Tenable's Nessus can provide 
organizations with loads of valuable data about potential weak points 
throughout their IT ecosystems, if companies don't have the right road 
map in place to respond to and act on the results provided by the 
assessment tools, they won't realize as many benefits of the 
vulnerability management process, Fennelly said.

The expert outlined a series of steps that organizations should follow 
to help optimize their efforts, which start with prioritizing exactly 
which assets have to be managed most aggressively. That might sound like 
obvious advice, but many companies put the carriage in front of the 
horse in terms of getting involved with vulnerability management without 
first understanding what they need to address, she said.

"Organizations need to create asset lists that define their critical 
business systems to help prioritize their efforts; they need to have the 
support of different internal groups to create these lists that will 
help them mitigate their most critical problems," said Fennelly, 
Tenable's director of content. "For instance, if you can classify your 
data and know what area of your network certain data is supposed to be 
on, then you can tune your scanners to monitor your network 
appropriately. But admittedly, trying to get business people to come up 
with this type of classification is often the tough part."

[...]


_______________________________________________      
Best Selling Security Books and More!
http://www.shopinfosecnews.org/
Received on Mon Mar 16 2009 - 01:16:28 PDT

This archive was generated by hypermail 2.2.0 : Mon Mar 16 2009 - 01:32:46 PDT