Identifying stakeholders

Vulnerability management has a top-to-bottom approach. The following are the stakeholders that might be involved in and/or impacted by the vulnerability assessment:

  • Executive/top management: To achieve the desired success in the vulnerability assessment program, top management should support the activity by allocating all required resources.
  • IT security head: This could be dedicated or additional responsibility assigned to the competent personnel. Usually, this position directly reports to executive/top management, providing a bird's-eye view of security posture to the top management. In order to maintain security compliance, this position leads multiple IT security programs run in an organization.
  • VA lead tester: This position refers to a subject matter expert who usually reports to the IT security head. The VA lead is responsible for:
    • Signing a Statement of Work (SoW)
    • Maintaining an NDA
    • Checking for the legal aspects of conducting such tests in a particular environment
    • Gathering requirements and defining scope
    • Planning vulnerability assessments
    • Managing required tools, devices, and the licenses required for the vulnerability assessment
    • Managing the team and the team activities that are part of the vulnerability assessment
    • Maintaining a single point of contact (SPOC) between all stakeholders involved in the vulnerability assessment program
    • Keeping all stakeholders updated on activities that are part of the vulnerability assessment 
    • Generating and signing an executive summary of the vulnerability assessment
  • VA tester: VA testers conduct the following activities that are necessary to conduct the VA program:
    • Configuring and updating an automated scanner tool/device
    • Monitoring automated scans for any disruption or unsolicited impact
    • Conducting manual tests
    • Conducting proof of concepts (PoCs)
    • Generating detailed reports
    • Providing timely updates to the VA lead tester
  • Asset owners: Every service/system/application/network/device that is part of a vulnerability assessment is involved in the program. Owners are responsible for responding to any disruption that may happen. Owners should be aware of a detailed plan of assessment for assets under their ownership and should have restoration and recovery plans ready to reduce impact.
  • Third-party service providers: Ownership of Commercial Of The Shelf (COTS) applications belongs to the respective service providers. If scope demands assessment over such COTS assets, involvement of respective third parties is necessary. Recently, organizations have been opting for more and more cloud services. Hence, the SPOC of the respective cloud service providers needs to be involved in the program to ensure the smooth execution of VA.
  • End users: Rarely, end users may also be impacted by reparation of the VA program.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.17.174.239