Vulnerability Assessment
Vulnerability scanning is a tool to help the organizations to identify the vulnerabilities on its networked computing devices. The results of vulnerability scans to help and caution management and computing device administrators of potential vulnerabilities so that, vulnerabilities can be addressed and managed. Vulnerability scanning can be used at a wide level to ensure that university information security practices are working properly and effectively.
RANGE
This standard applies to the employees, contractors, vendors, and agents to access the campus information systems. This standard applies to all the organization-owned devices which are connected to the network and can also be applied to personally-owned devices if it solely or broadly used to conduct company’s related business.
STEPS FOR AN EFFECTIVE VULNERABILITY ASSESSMENT
IDENTIFYING AND UNDERSTANDING YOUR BUSINESS PROCESS
The very first step for providing business context is to identify and understand your organization’s business processes, focusing on those that are critical and sensitive in terms of compliance, customer privacy, and competitive position. In most of the organizations, it requires association between IT and representatives of the business units, the finance department, and the legal counsel. Many organizations put together the security strategy task forces with representatives from each department, who work together for several weeks to analyse the business processes and the information and infrastructure they depend on.
PINPOINT THE APPLICATIONS AND DATA THAT UNDERLIE BUSINESS PROCESSES
Once the business process is identified and ranked in terms of mission criticality and sensitivity, the next step is to identify the applications and the data on which those mission-critical process is depending on. This can be accomplished only through an association between IT and other business players. From extensive collaborative discussions, one may discover applications that are much more critical than expected. For instance, email may be an absolutely critical application for one department, but not critical for many others.
FINDING THE HIDDEN DATA SOURCES
While searching out for applications and data sources, make sure that you take into account mobile devices, smartphones, and tablets, as-well-as desktop PCs. Collectively, these devices often contain the most recent and sensitive data of your organization. Work with the business units to understand who is using mobile devices for accessing and sharing corporate applications and data. Understand the data which flows between these devices and data center applications and storage. Another often hidden category to investigate is the software development environment, as they are inherently less secure than production environments. Software developers and testers often use current, sometimes mission-critical data to test new and upgraded applications.
DETERMINE WHAT HARDWARE UNDERLIES APPLICATIONS AND DATA
Continue working down the layers of infrastructure to identify the servers, both virtual and physical, that run your mission-critical applications. Identify the data storage devices that hold the mission-critical and sensitive data used by the applications.
MAP THE NETWORK INFRASTRUCTURE THAT CONNECT THE HARDWARE
Develop an understanding routers and other network devices that your applications and hardware depends on for fast and secure performance.
IDENTIFY WHICH CONTROLS ARE IN RIGHT PLACE
Note down the security and business continuity measures which the developer has already kept in place – including policies, firewalls, application firewalls, VPN’s, data loss prevention (DLP) and encryption to protect each set of servers and storage devices hosting mission-critical applications and data. Understand the key capabilities of these protections, and which vulnerabilities they address most effectively.
APPLY BUSINESS AND TECHNOLOGY CONTEXT TO SCANNER RESULTS
Your scanner may produce scores of host and other vulnerabilities with severity ratings, but since results and scores are based on the objective measures, it’s important to determine the organization’s business and infrastructure context. Deriving meaningful and actionable information about business risks from vulnerability data is a complex and difficult task. After evaluating the organization’s staff level of knowledge and workload, one may determine that it would be helpful to partner with a company that is well-versed in all aspects of security and threat assessment. Whether undertaking this task internally or getting outside assistance, the results needed to be analysed to determine which infrastructure vulnerabilities should be targeted first and most aggressively.