***** Vulnerability Management. By Park Foreman. CRC Press, www.crcpress.com; 332 pages; $79.95.
Many people are unaware of vulnerability management (VM), which can help ensure security for information technology infrastructure and improve an organization’s governance, risk, and compliance posture. This work can help to rectify that lack of knowledge.
Author Park Foreman defines vulnerability management as “the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities.” He examines VM from both a technology and process perspective. The VM process, he argues, is not just about deploying technology onto computing and network devices to check a box for security. It is about someone taking responsibility for remediation and reassessment to ensure that critical vulnerabilities have been repaired or corrected.
VM is a relatively young aspect of information security, and its application is not well understood. Foreman explains that this immaturity is because “strong, enterprise-ready technology is only now becoming available.” He further explains that the need for a complete, integrated solution with well-defined processes has not been fully recognized for VM.
He argues that traditional security products, such as antivirus software and firewalls, only temporarily mitigate risks, whereas the strength of VM is in the process. By removing vulnerabilities early and often, the IT workload is decreased, explains Foreman.
Chapter 2 underscores the importance of the roles of people and policy for VM. A clear definition of these roles and how they work together in a successful VM program is well explained.
The author explains how the VM process can be aligned to life-cycle frameworks in many large organizations. He also discusses the importance of “reducing the perception of VM as a threat to anyone’s performance image.”
The author’s writing style is direct and chapters are well-sequenced and organized. Foreman’s use of examples and detailed case studies help the reader to understand how vulnerabilities are created. Illustrations further clarify VM and most chapters provide a concise summary.
Overall, this book provides excellent guidance for the information security practitioner and the network security engineer, as well as those who need an understanding of the strategic significance of vulnerabilities and reasons for their control.