Critical stages of the vulnerability management in PCI

Before we start our discussion of the role of vulnerability management for PCI compliance, we need to briefly discuss what is covered under vulnerability management in the IT industry. It appears that some industry pundits have proclaimed that vulnerability management is simple: just patch all those pesky software problems and you are done. Others struggle with it, since the scope of platforms and applications to patch and other weaknesses to rectify is out of control in most large organizations with compliance networks and large numbers of different products. However, vulnerability management is not the same as just keeping your systems patched. If you are busy every first Tuesday when Microsoft releases its batch of patches, but not doing anything to eliminate a broad range of enterprise vulnerabilities during the other 29 days in a month, you are not managing your vulnerabilities efficiently if at all.

Clearly, vulnerability management is not only about technology “patching the holes.” As everybody in the security industry knows, technology for discovering vulnerabilities is getting better every day.Vulnerability scanners can detect vulnerabilities from the network side with reasonable accuracy, as well as from the host side with even better accuracy. However, many organizations that implemented periodic scanning have discovered that the volumes of data far exceed their expectations and abilities. A quick scan-then-fix approach turns into an endless wheel of pain. Many free and low cost commercial-vulnerability scanners suffer from this more than their higher-priced brethren, thus exacerbating the problem for price-sensitive organizations such as smaller merchants. Using vulnerability scanners efficiently presents other challenges as well as, including having network visibility of the critical systems, perceived or real impact on the network bandwidth, as well as system stability. Overall, it is becoming more clear that vulnerability management involves more process than technology, and should be based on the overall risk and not simply on the volume of incoming scanner data.

Let’s outline some critical stages of the vulnerability management process. Even though Gartner analysts have defined that the vulnerability management process includes the steps below, vulnerability management starts from software creation when vulnerabilities are actually introduced.Thus, investing in secure coding practices (prescribed in Requirement 6) helps make the vulnerability management lifecycle much less painful.The following steps are commonly viewed as composing the vulnerability management process:
1. Policy definition is the first step and includes defining the desired state for device configurations, user identity, and resource access.
2. Baseline your environment to identify vulnerabilities and policy compliance.
3. Prioritize mitigation activities based on external threat information, internal security posture, and asset classification.
4. Shield the environment, prior to eliminating the vulnerability, by using desktop and network security tools.
5. Mitigate the vulnerability and eliminate the root causes.
6. Maintain and continually monitor the environment for deviations from policy and to identify new vulnerabilities.” (“Improve IT Security With Vulnerability Management” by Amrit T.Williams and Mark Nicolett, Gartner,May 2005.)

CompliancesForum provide FREE template, checklist, and update for your Regulatory Compliance need: Basel II Accord, Gramm Leach Bliley (GLBA), Healthcare Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standards (PCI DSS), Sarbanes Oxley Act (SOA)

Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Reddit
  • Google
  • Yahoo
  • Technorati

User login

Who's online

There are currently 0 users and 2 guests online.

Who's new

  • PreedaJex
  • logsLarostata
  • tesejeora
  • andygriffinkid
  • WooroExteve