Vulnerability Management in Project Management

The term vulnerability and risk

The term vulnerability refers to the internal characteristics of a system that makes it susceptible to risks. Vulnerability assessment in systems assists in identifying potential threats and come up with collective actions that can reduce the risk of severe consequences from adversarial actions. In coming up with an effective vulnerability assessment, it is imperative to come up with a framework for reducing risks and other associated costs. While in most cases, there is a confusion that exists between vulnerability and risks, vulnerability concepts have various distinctions from risk and the management of vulnerabilities involves different aspects than the traditional risk management. Often, project managers utilize risk management to estimate the likelihood of occurrence of a specific risk (Pinto 2015).

Vulnerability and risk management

On the other hand, vulnerability management assesses the characteristics of the system that can change the possibility for harm. Evidently, reducing vulnerability is one way of managing risk. However, the reduction in the effects of risk cannot in any way diminish the weakness of the system. The principal purpose of risk management is to identify the threats, quantify the impacts of the risks, and come up with strategies that mitigate the occurrence of the risks. The role of this paper, therefore, is to discuss how vulnerabilities in an existing system can be identified and counteracted. As a result, this projects aims at addressing the concept of system vulnerability by: first, defining system vulnerability and researching the concept of vulnerability to make us understand this concept and to implement it in the context of project management. Second, how a comprehensive framework based on vulnerability assessment can facilitate better decisions based on uncertainty and policy implications. Third, the means of identifying and analyze security threats and security vulnerabilities.

Background

The term “being vulnerable” means being capable of getting injured or hurt. However, the current literature has not given much insight into the word vulnerable, and with the discovery of new software daily, this makes them highly susceptible to vulnerabilities. Vulnerability Management is thus the means of detecting and getting rid of the inherent risk of vulnerabilities, and it achieves this through specialized software to help identify the threats. According to Nicastro (2011), vulnerabilities arise from identifiable attributes in the system. Nevertheless, system vulnerabilities can arise as a result of the interactions between several components that existed in the early versions of the system. Research efforts in vulnerability assessment indicate that it is an integral process in vulnerability management and the cybersecurity professionals are in most cases trained to consider evaluations from a technical perspective. Practically, it is impossible to remove every system vulnerability from a given environment as some weaknesses can persist due to challenges associated with patching specific devices (Souppaya and Scarfone 2013).

Vulnerability Assessment Benefits

In conducting a vulnerability assessment, therefore, the practitioners do not exploit all the vulnerabilities that they find, but the evaluation assists in assessing and focusing on the weaknesses in the system. For example, in conducting system vulnerability assessment on a network, the vulnerability scanner can discover the presence of outdated software. As a result, eliminating this weakness can only require a software update and a reboot of the entire system. Some of the benefits of vulnerability assessment include security benefits and compliance obligations. When a project manager conducts a vulnerability assessment, they can satisfy both of this factors (Pinto, 2015). The security benefits of vulnerability assessments are numerous as this can lead to the identification of rogue assets in the system. The results of the vulnerability assessment can be used to come up with mediation plans, and this can make the systems more secure.

Project Management Plans for Vulnerability Management

One of the primary objectives of vulnerability management is to detect and remediate vulnerabilities in a timely way (Brenner, 2010). Notably, the majority of companies do not conduct vulnerability scans in their environment, and some do so on a quarterly or annual basis. As a result, the vulnerability not detected during the scheduled time can only become detected at the next scheduled scan. In most cases, this can leave the systems vulnerable for a long time, and as a result, when coming up with vulnerability management processes, the project manager should come up with regular scans to reduce the exposure time. According to Foreman (2010), the presence of regular scans ensure that the vulnerabilities become detected in a timely fashion and this makes it possible for their remediation. When coming up with a vulnerability management process, it is imperative to follow the following phases, and this includes: preparation, vulnerability scan, defining the remediation actions, implementing the rectification actions, and rescanning.

Preparing for Vulnerability Management

During the preparation stages, the security officer defines the scope of the vulnerability management process. The first step during this phase is defining the scope of the vulnerability management process and thus determining the systems that will be included or excluded from the process. It is at this stage that the organization defines the type of scans from the perspective of the attacker (Wheeler 2011). In determining the scope of the systems to include in the vulnerability management process, it is imperative to note that it is not feasible to include everything in the first scan. Such a move ensures that all those vulnerabilities discovered are manageable. Once the preparation phase is complete, then the organization can perform the initial vulnerability scan. Notably, at this juncture, the project manager and the security officer are interested in the risks the organization faces with all the departments obtaining an overview of the vulnerabilities in the systems they are responsible (Foreman 2010).

Rectification Phase

For example, the IT department can obtain an overview of all the technical vulnerabilities as well as the recommendations for mitigation and overall improvement. When the vulnerabilities are found, then one of the best ways to mitigate them is by deploying patches, which can address the weaknesses. According to Nicastro (2011), the primary purpose of an organization patch management program is to identify the controls and processes that can provide the organization with the appropriate protection against the vulnerabilities. Research has shown that these vulnerabilities can adversely affect the security of the organization systems and any data present (Nicastro 2011).

Implementing Remediation Actions

Once the vulnerability scan is over, the rectification phase follows and in this phase, the security officers, in collaboration with the system owners and the IT department defines the remediation actions. The role of the security officer is to analyze the vulnerabilities and determine the associated risks. The remediation timeframe should be in line with the risk detected, and the timescale always varies with different organizations. Immediately after this phase, the next stage is the implementation of the remediation actions (Wheeler 2011). Particularly, there is the need to execute the operations in line with the agreed timeframe, and if problems arise during the execution, it is the role of the security officer to record such problems. Further, the security officer should track the status of the remediating actions. Finally, once all the vulnerabilities become rectified, there is the need to conduct a rescan to verify that all the remediating actions are implemented. Notably, this scan is performed using the same tools used during the initial scan.

Recommendations for Vulnerability Management

Without a vulnerability management process in place, an organization is bound to experience risks related to the security of the IT infrastructure (Foreman 2010). Of note, the implementation of a vulnerability identification process entails managing the risks, and it is essential for the management to come up with well-advised decisions in counteracting the already existing risks. As a result, the organization can manage to reduce the inherent risks in the system. From the above analysis, an effective vulnerability assessment and remediation program should be able to prevent any exploitation of the vulnerabilities by detecting and remediating the vulnerabilities timely. Because of this, there is the need for proactive management of vulnerabilities on the various devices in an organization as this can reduce or eliminate any potential for exploitation. In the end, this can save on the resources that would otherwise be needed to respond to incidents after the occurrence of exploitation. For the organization to create a consistently configured environment, then it must keep the systems secure against the vulnerabilities. The organization can achieve this through the implementation of a threat monitoring process that can allow the security team to gather information about the vulnerability affecting the different systems in the organization. The team should stay current on these threats with any threat uncovered addressed by the vulnerability management team.

Concluding Remarks

Indeed, the organization should conduct regular vulnerability assessments by coming up with a formal program with defined roles and responsibilities. Evidently, the assessment process should not be done once but should be a continuous process as there can emerge new vulnerabilities in due course. The organization should also remediate the vulnerabilities, and this involves evaluating the identified weaknesses (Manzuik, Gold and Gatford 2007). After determining the vulnerabilities, the security officer should assign risk to the vulnerabilities, plan the necessary responses, and track the required actions that the project manager should take towards mitigating the vulnerabilities. Discovering the faults in a system and failing to take action remain useless and this can leave the organization susceptible to many threats. Lastly, the organization should patch the vulnerabilities by having those processes and tools in place that identify and confirm vulnerabilities that are a threat to the organization (Foreman 2010). By adhering to these recommendations, then the project manager is on their way to secure their organization against vulnerabilities and risks that can have serious effects when left unchecked.

Conclusion

From the above analysis, it is evident that an organization should have in place a process for managing vulnerabilities. The lack of an efficient vulnerability management program in place can make the organization face the risk of threats in the security of their various systems. Notably, the presence of a vulnerability management process involves the process of managing risks, and this can make the organization have a continuous view of the risks associated with the presence of vulnerabilities in the systems. By conducting vulnerability assessments, then the organization can manage to minimize the security gap, and this can, in the end, save time, money, and resources.

References

Brenner, B. (2010). Vulnerability management: The basics. [online] CSO Online. Available at: https://www.csoonline.com/article/2125921/cloud-security/vulnerability-management--the-basics.html [Accessed 20 May 2018].

Foreman, P. (2010). Vulnerability management. 2nd ed. Boca Raton: CRC Press.

Manzuik, S., Gold, A. and Gatford, C. (2007). Network security assessment. 1st ed. Rockland: Syngress Pub.

Nicastro, F. (2011). Security Patch Management. 2nd ed. Boca Raton: CRC Press.

Pinto, J. (2015). Project management. 4th ed. Upper saddle River: Prentice Hall.

Souppaya, M. and Scarfone, K. (2013). Guide to Enterprise Patch Management Technologies. [online] NIST. Available at: http://www.nist.gov/manuscript-publication-search.cfm?pub_id=913929] [Accessed 20 May 2018].

Wheeler, E. (2011). Security risk management. 2nd ed. Waltham: Syngress.