This is the first post in a series of cybersecurity tips and tricks from ACA Aponix's team of experienced consultants.
The third quarter of 2017 saw the announcement of 7 high-profile data breaches in 7 weeks. Two of the more high-profile breaches, the SEC’s EDGAR filing system and Equifax, were caused via known security exploits. While these organizations are not related (nor were the attackers from what we can gather), they have one major thing in common: their failure to maintain an effective vulnerability management program.
5 Best Practices for Building an Effective Vulnerability Management Program
A vulnerability management program determines how your company detects and responds to vulnerabilities in your internal and external networks. Here are 5 best practices for building a sound vulnerability management program.
- Perform external and internal network scans on a weekly basis.
- Develop and implement a mitigation plan for critical and high alerts
- Make patches and fixes a high priority.
Some IT professionals believe that it is safe to stay a month or so behind the patch cycle in an effort to minimize disruption to business production and operational systems. This belief must change, as it is no longer safe to wait 30 days to apply patches.
- Test and validate patches and fixes before deploying to the enterprise.
Create a cross-functional test group and lab environment to expedite the validation of patches.
- Apply validated patches and fixes as soon as possible.
Once patches are validated, deploy them to the enterprise as soon as possible and have a rollback plan for mitigating the impact of any issues.
Taking a proactive approach to vulnerability detection is critical to preventing the data theft, asset losses, and reputational damage that can result from cyber incidents and cyber events. Your company should make it a priority to develop and implement an effective vulnerability management program as part of your cybersecurity program.
About the Author
Christopher Gebhardt is a Principal Consultant at ACA Aponix focused on IT, privacy, and cybersecurity transaction advisory. He also works with ACA's private equity firm clients on tech and cyber risk management strategies for their portfolio companies. Prior to joining ACA, Chris served as Associate Director of Infrastructure Engineering for Jet.com and as Director of Information Technology for Air Medical Resource Group (AMRG). Chris’ prior experience includes several years as an IT Manager for several organizations and was considered an expert in paperless migrations. He has consulted with leading government organizations on IT projects to deliver strategic roadmaps. Chris earned his BS in Management from SUNY Empire State College. He is a Certified HIPAA Professional and received the Certified Security Compliance Specialist certification covering ISO27001, NIST800, FISMA, GLBA, and state-level information security and compliance regulations.