Saving Money with IT Security Processes. Example 12/26: Avoid Website Defacement with Vulnerability Management

Article number 12 in a series dedicated to giving examples of the way IT security processes can help your company save money.

Vulnerability Management is the process that helps your information system stay up to date with patches that fix vulnerabilities in the software you use. One striking example is: with correct Vulnerability Management, you won't get any of your websites defaced.

Please note that it can't be reduced to just using another piece of software to update it all. No single piece of software can possibly fix everything on a regular basis, nor can it fix problems with the best acumen. It's the Vulnerability Management process. It does the following:

• Technological Watch for all currently used pieces of software and technologies. This means subscribing to newsletters or feeds from every single related vendor and reading them.
• Whenever a new vulnerability has been spotted, identify whether the company is affected or not.
• If it's affected, check how much it would cost to suffer from the exploitation of the vulnerability and compare with the cost of applying the patch or workaround.
• Have it put in action.

The Vulnerability Management process is not always identified as a process per se, but sometimes distributed in the Technological Watch and Patch Managements processes.

Saving Money with IT Security Processes. Example 7/26: Early Notice of Regulatory Compliance Changes through Technological and Legal Watch

Article number 7 in a series dedicated to giving examples of the way IT security processes can help your company save money.

Regulatory Compliance requirements are a pain in the back for companies. They've got to reach some government-imposed or industry-imposed requirements and they sometimes have to reach them by using imposed means, tools, technologies...

However, the most costly is not to put the requirements in practice if you know them from the start of projects. The most costly is to modify production afterwards, in haste, in order to comply:

• The production may incur downtimes and bugs because of the hasty patches.
• Besides, the architecture may have to be reviewed to support the requirements, and the previous architecture may be obsolete before it has paid off.
• Eventually, the patched system may be more expensive to operate than if it had been thought about correctly from the beginning.

A good way to prevent such blunders and losses of money from happening is the Technological and Legal Watch process. The goal of the process is to identify emerging threats. Threats can be:

• Technical, like a new vulnerability.
• Commercial, like a vendor no more supporting a product.
• Trends, like the emergence of a new kind of attacks (think XSS a few years ago).
• Regulatory, like the validation of an industry standard.
• Legal, like the imposition of a new legal requirement.

The best tool for Technological and Legal Watch process is the RSS feed. Feeds can be collected from related web sites. Feeds can also be created from Google searches (with keywords).