Main Menu
Home / IT Governance / Risk Management: Understand Vulnerabilities First

Risk Management: Understand Vulnerabilities First

It’s easy to see where an organization underspent or overspent in the evaluation and mitigation of risks: there’s almost always a point where, in hindsight, the right amount of control is discovered. The solution, according to Peter Spier, is a mix between business minded and technical risk management. The balance helps create a solution that is both cost and needs effective. By using a Common Vulnerability Scoring System (CVSS), an organization can identify “vulnerability access vectors, complexity, authentication requirements, and the potential impact to confidentiality, integrity, and availability.” However, having these security controls in place doesn’t make you invulnerable:

For example, suppose a database server is identified as being prone to one or more SQL injection vulnerabilities. It is isolated to a dedicated network segment with established access controls restricting communications to authorized internal hosts and the entirety of network assets protected by host-based and perimeter security controls including, respectively, both anti-virus protection and an intrusion prevention system. While the probability of exploit is arguably contained, the vulnerability remains.

This is one of the reasons why understanding vulnerability is essential: without understanding it is impossible to recognize what will and will not be effective in managing them, what risks will still exist, or what vulnerabilities were not addressed.


About Anne Grybowski

Anne is a former staff writer for CAI's Accelerating IT Success, with a degree in Media Studies from Penn State University.

Check Also

4 Symptoms and Solutions to Security Fatigue

The news has led us to believe that security breaches are happening everywhere, and, well, …

Leave a Reply

Your email address will not be published. Required fields are marked *