Vulnerability Management is one of the most fundamental, yet effective security controls that organizations can implement to reduce their exposure to cyber attacks. It is required by almost every regulation and standard that addresses IT management and information security. This includes HIPAA/HITECH, PCI Data Security Standard, ITIL, Microsoft Operations Framework, COBIT, ISO 27001, and NIST, just to name a few. Yet many healthcare organizations still struggle to effectively implement compliant vulnerability management programs, and thus leave themselves exposed to both financial and operational risk.

Self Assessment

IT and non-IT leaders can use the following 9 questions to evaluate the maturity and readiness levels of their vulnerability management programs:

• Does management have a solid understanding of what is vulnerability management is and why it’s important?
  • Validating question: Has management made made vulnerability management a priority?
• Does the organization have a policy that addresses vulnerability management?
• Has the organization created or adopted a vulnerability management framework?
• Does the organization have vulnerability management metrics that are regularly reviewed and acted upon?
  • Validating question: What is the average time to remediate a critical vulnerability? (CVSS score of 10)
• How does the organization assess risk as related to vulnerabilities and threats?
  • Validating question: How does the organization prioritize it’s remediation efforts?
• Does the organization have clearly defined roles and responsibilities related to vulnerability management?
  • Validating question: Is there a separation of duties between vulnerability identification and remediation?
• Are the necessary vulnerability management tools and processes in place? (e.g. asset inventory, scanning, patching, ticketing, correlation)?
• Does the organization have a complete asset inventory (desktops, servers, database servers, mobile devices, clinical/biomed devices, etc)?
  • Validating question: What percentage of the organization’s assets are included in the vulnerability management process?
• Does the organization have configuration and management processes in place?
  • Validating question: How does the organization identify and manage insecure configuration changes?

References & Resources

• Securosis – Vulnerability Management Evolution From Tactical Scanner to Strategic Platform

• Institute of Internal Auditors – Managing and Auditing IT Vulnerabilities, Global Technology Audit Guide

• CSIS – 20 Critical Security Controls

• PatchManagement.org- Essentials of Patch Management Policy and Practice

• NIST – National Vulnerability Database (NVD)

• NIST – Creating a Patch and Vulnerability Management Program

• Qualys – Vulnerability Management for Dummies