Configuration Vulnerability Management Policy (Writing Information Security Policies Book 50)

This information security policy addresses requirements for the management of vulnerabilities created by human error in the configuration of the controls of a variety of system components. The vulnerabilities are very common and usually very easy to find and eliminate through simple scanning followed by error correction. Unfortunately they are also very easy for a modestly skilled attacker to find and exploit. The significant risk arising from the occurrence of the vulnerabilities can be minimized by active use of vulnerability assessment scanning technology. This policy applies a strategy of finding the vulnerability as soon after it was created as possible, correct the error that created the vulnerability as soon after finding it as possible and rescan the component to verify the correction was effective and no new errors were introduced. This is one of the few instances were an aggressive strategy of risk elimination is the only effective approach available.