23) Does your organisation have processes in place to triage and remediate identified vulnerabilities by inputting them into the relevant workflows?
Answer yes if you have processes in place which facilitate effective triage of vulnerabilities and input necessary remediations into the appropriate workflows, for example, development, IT change management or ad-hoc improvement programmes. This should cover all vulnerabilities identified through scanning, penetration tests, or other inputs such as external alert feeds or internal employee reporting. It should also include communication of vulnerabilities to key stakeholders (including relevant clients) where temporary compensating controls may be required. Please give details of your process(es) in the notes section.
All organisations will need to address vulnerabilities from time to time. In larger organisations, managing vulnerabilities will be a continual process.
Vulnerabilities can be identified through scanning, penetration testing, vulnerability alert services or many other methods. When a vulnerability is identified, it is important that the risk it poses to your organisation is properly assessed so that any remediation or mitigation activity can be prioritised accordingly.
It is important that any remediation activities are prioritised in the context of your organisation, your risk appetite and other activities taking place. When, how and if you decide to remediate a vulnerability will depend on:
- the risk the open vulnerability poses to your business (how likely it is that the vulnerability will be exploited and what the impact would be if it happened)
- the risk and cost of fixing the vulnerability (fixing vulnerabilities in your IT estate will require resources that could be used for other tasks and could involve operational risks such as disruption or knock-on compatibility issues)
- whether you are able to put any compensatory controls in place to mitigate the security risks, instead of directly remediating the vulnerability
- other activities taking place within your organisation, now or in the near future.
For example, if a vulnerability is identified in a system for which a new release is scheduled soon, you may wish to include the remediation as part of the scheduled release instead of pushing through unplanned changes. When and how to deploy fixes for vulnerabilities should be carefully considered depending on the severity of the vulnerability, the risk it poses to your organisation and whether there are compensatory controls you can put in place to mitigate the risk in the interim. For some vulnerabilities, it will be important to remediate as soon as possible through emergency change processes.
As much as possible, fixes for security vulnerabilities should be input into IT or development workflows rather than being addressed as stand alone changes.
How to implement the control
If you are a very small organisation, vulnerabilities can be addressed as and when they are identified. If you are a large organisation with a complex IT estate, you may choose to implement a central vulnerability management system with associated processes. It is very important that any security vulnerability management processes are embedded within operational IT or development teams, and are not stand alone.
The NCSC have written a detailed guide on what to consider when assessing and prioritising vulnerabilities, which can be found here.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
