An IS auditor finds ad hoc vulnerability scanning is in place with no clear alignment to the organization's wider security threat and vulnerability management program.
Which of the following would BEST enable the organization to work toward improvement in this area?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
The scenario presented in the question highlights a gap in the organization's security threat and vulnerability management program. The ad hoc vulnerability scanning approach without clear alignment to the program could result in security vulnerabilities being overlooked or not addressed promptly, leaving the organization exposed to potential threats.
The BEST option to address this issue is to implement a capability maturity model (CMM) to identify a path to an optimized program. A capability maturity model provides a framework to assess an organization's current level of maturity in a particular area and identify opportunities for improvement. In this case, a CMM for security threat and vulnerability management would enable the organization to evaluate its current practices and identify areas for improvement, leading to the development of a more robust and effective program.
Outsourcing the threat and vulnerability management function to a third party (option A) may address the immediate gap in vulnerability scanning, but it may not address the underlying issue of a lack of alignment with the organization's wider security threat and vulnerability management program. Moreover, outsourcing the function may not always be cost-effective or practical for all organizations.
Implementing security logging to enhance threat and vulnerability management (option B) is a good practice to support threat and vulnerability management but does not address the underlying issue of a lack of alignment with the organization's wider security threat and vulnerability management program.
Maintaining a catalog of vulnerabilities that may impact mission-critical systems (option D) is also a good practice but does not provide a framework for the organization to evaluate its current practices and identify areas for improvement.
In summary, implementing a CMM for security threat and vulnerability management would be the BEST option for the organization to work towards improving its vulnerability management program.