To some of our customers, the first thing that comes to mind when we mention vulnerability management is compliance, or vulnerability scanning. But we like to encourage our customers to take a holistic approach as well and be thinking beyond a tool-based approach. We use a people and process-based approach to vulnerability management, because vulnerabilities exist in networks, applications, physical security, people (i.e., social engineering) and in the processes.
The Aujas approach provides a framework that you may want to use in creating a sustainable and organic vulnerability management program. It includes four phases: diagnose, analyze, transform, and sustain.
Diagnose. We look at the current state of the program, and then compare it to the desired future state. This involves looking at root causes for the program not working. One example is a lack of a vulnerability rating system that does not allow prioritization based on the risk appetite of the company. This same issue then appears under incident response because the vulnerability rating system should be incorporated into the incident response program so that standardization of language and meaning happens across business units.
Analyze. In this phase we work with the client to develop key performance indicators to measure the program maturity and successes. Then we allocate resources to fixing the root cause issues and highlight where focus needs to be to properly implement a customized vulnerability program. In this phase the metrics are defined, the KPIs and collection methods associated with those metrics created. This phase highlights the issues and gaps between the current state and future state desired by the company.
Transform. In this phase, there is actual creation, rework or deletion of business processes that are inhibiting the company's vulnerability management. An example of this is the customer’s patch response cycle: how does it change over time? Is it slow because of configuration management, etc.? Is there too much of a division of responsibility between the corporate program and implementation of patches at the division level? Perhaps there needs to be clearer delineation of responsibilities to improve the patch response cycle.
Sustain. The objective of this phase is constant measurement of program implementation and maturity. It is a culmination of all the work done in the previous phases and ensures that a metrics program is in place to identify issues and lead the company back through the methodology of identifying, analyzing, creating, reworking, and or deleting business processes, technology or positions that do not add value to the vulnerability management program.
Aujas has outlined a no nonsense approach to helping clients build a strong vulnerability management program. Are you positioned will for the coming year with a sound program? Asking Santa might be nice, but in reality, the elves at Aujas are more suited to deliver this present!