| The Health Information Sharing and Analysis Center (Health-ISAC) has released a white paper on vulnerability management prioritization to provide insight into the different ways security teams can assess their organization’s level of risk against vulnerabilities while facing the challenge of addressing ongoing disclosures. |
| Network security teams are often encumbered with the ongoing release of vulnerabilities that are either publicly disclosed or identified as zero-days by vendors and security researchers. Each of these vulnerabilities’ severity and exploitability levels is associated with a Common Vulnerability Scoring System (CVSS) score and, often, with a Common Vulnerabilities and Exposures (CVE) number. These swaths of information have proven cumbersome and, at times, can pose a conundrum to organizations concerning their vulnerability management capabilities. |
| The concept of prioritization in vulnerability management is significant as it helps to support effective mitigation and remediation strategies across different organizational capability levels. The correlation between prioritization and organizations’ capability level is closely aligned as it can help security teams communicate effectively with stakeholders, identify asset value, and develop remediation policies conducive to the continuity of business-critical systems. Prioritization is a process that spans all capability levels and allows security teams to properly allocate resources to address vulnerabilities associated with severity levels that exceed the organization’s risk appetite. |
| The paper takes into consideration different factors that influence decisions in vulnerability management prioritization and provides comprehensive guidance on the application of well-known concepts used to maintain the confidentiality, integrity, and availability of enterprise systems. |