15.6 ASSESSING INFORMATION SECURITY VULNERABILITIES IN THE ENTERPRISE

15.6.1 Vulnerability Management Program (VMP)

Maintaining an ongoing compliance to HIPAA regulations requires that all covered entities prove due diligence across each focus area within the organization's published security policy. As software vulnerabilities present a significant risk to the confidentiality, integrity, and availability of protected information resources. Vulnerability management represents one of the most critical areas for ongoing compliance. Risk exposure can be minimized by establishing a program that includes the methodologies for planning, identifying, assessing, and remediating network and application vulnerabilities.

A detailed vulnerability management program differs from stand-alone vulnerability assessments in that a VMP lays the framework for strategic initiatives surrounding vulnerabilities, rather than maintaining only a tactical focus on assessment and remediation . A well-defined VMP incorporates a regular risk assessment of an organization's business critical assets. It facilitates the ease of enterprise wide assessments and helps to increase the frequency in which they can be conducted. The VMP concept also endeavors to empower the organization to create timely and useful reports regarding vulnerabilities, and how to remediate them. By leveraging the program's reporting and the resulting corrective measures, the organization is capable of directing IT resources towards high-value preventative actions that directly impact long- term cost controls. These fundamental differences help to bridge the gaps that exist between management, operations, and the security teams when vulnerability assessments are conducted on a stand-alone basis. In short the VMP provides a holistic approach toward vulnerability risk management.