Resources for Federal Information Security Management Act (FISMA)

Focus On Managing Risk, Not Gruntwork

FISMA

With large enterprises sporting hundreds of applications, firewalls, routers, and other networking devices -- and more than 139 newly announced vulnerabilities each week -- how do they know what vulnerabilities actually matter?

Answering that question is a lot harder than just looking at software vendor risk rankings and rushing to patch the "criticals" and pass on the "lows."

Last year, CERT tallied more than 7,000 publicly disclosed vulnerabilities. Who has time for that much patching?

In fact, many organizations may find, when all mitigating controls -- firewall rules, network segmentation, IPS devices, etc. -- are taken into account that they actually may want to patch a couple low-risk vulnerabilities on a machine managing highly classified data. Or, maybe patching one or two at-risk systems in the DMZ ensures the rest of the infrastructure is secure -- because all of those security controls mitigate the other unpatched systems. And the rest of the patching can wait for a little while, at least until the patches have been tested.

View the Resource

Share or bookmarklet this web page at: