Vulnerability management is a vital practice to identify, classify, prioritize and remediate vulnerabilities on a regular basis. While many financial institutions are used to having a vulnerability assessment at least once a year to track and remediate vulnerabilities, many are also implementing practices to assess their vulnerabilities on a more frequent basis. I’m going to discuss five key areas you should focus on as you build an in-house vulnerability management program.
It’s always crucial to first outline the high-level objectives you are trying to meet. Ensure you address the following items in your policy: prioritization, roles and responsibilities, scan frequency, scope of scans, exception handling, remediation timelines (based on risk) and reporting.
What do you want to focus on? Internal hosts, external hosts or both? Workstations, servers and/or network infrastructure?
Depending on your technology environment, you want to think through what hosts you want to include and how often they should be scanned. And it’s critical to have a process to update the scope as new hosts come online. There should be an independent method to ensure you are including all relevant hosts in your scans.
Now that the scope is identified and you have completed scans, what do you do with the results? Anyone familiar with vulnerability scan results knows that even scans on simple environments can produce large lists of vulnerabilities.
The key is to have a method to prioritize. This may be as simple as using your vulnerability tool’s risk ratings to assign a deadline for each level (such as critical findings will be addressed within seven days). Or you can consider whether a vulnerability is exploitable. But it’s important to have a method of prioritization that is based upon your policy.
After the vulnerabilities are remediated according to your policy and prioritization plan, it’s important to verify the vulnerability has truly been remediated. A rescan should be done to validate that these items have been addressed.
To have a formal and effective vulnerability management program, you need proper oversight, and the oversight needs effective reporting.
In some ways, proper reporting can be a challenge itself because, while IT experts will be digging into the weeds of technical details over the vulnerabilities, this level of detail may not be the best for steering committees or other groups to provide oversight. We recommend coming up with simple dashboards that are repeatable and focus on high-level results and trends. This may include tracking the number of critical and high findings monthly. Or tracking which findings are exploitable. There are multiple tools in the marketplace that aim to make reporting easier.
How Wipfli can help
Just like addressing vulnerabilities, implementing a successful vulnerability management program can be an iterative process. At the end of the day, you want to define your objectives in the policy and implement practices such as those listed above to meet those objectives in order to keep your institution safe.
Please reach out if you have any questions on vulnerability management programs. Learn about how we help serve financial institutions with everything from cybersecurity to compliance to internal audit.