15.7 PLANNING FOR IMPLEMENTATION or A VMP

One of the main purposes of implementing a vulnerability management program is to generate awareness regarding security risk exposure, and the far-reaching impacts these exposures can have on the enterprise. While the requirements placed on covered entities by HIPAA security rules help to provide the needed justification for a comprehensive VMP implementation, it is still crucial to ensure that upper management is in support of any initiatives related to the program. Assessing, reporting, and resolving problem areas are a collaborative effort that can extend across multiple departments and levels within an organization. On occasion, the effects of these actions can be far-reaching and may result in system downtime or unavailability. It is for these reasons that the entire enterprise must be informed not only of the program, but also the practical and business purposes that it addresses.

By laying the framework for a VMP, an organization is making a statement about the importance of identifying and reducing risk exposure. It is within this framework that all practices governed by the program should be outlined and defined in detail. Although organizations are free to pick and choose which specific actions will be included in their respective VMP, total value is achieved, and due diligence proved, through a complete implementation of all items identified below:

Documentation of business critical assets
Identification of acceptable risk exposure
Identification of parties accountable for program exceptions, deviations, and remediation
Procedures for conducting assessments
Procedures for response and remediation
Review of security policies and procedures
Quantitative and qualitative reporting
End- user education

After identifying the plan's scope, a realistic and achievable time frame must be established in which the plan can be developed and executed upon. Designing and implementing the plan may require efforts as short as one month, or up to one year, depending on the size of the organization. The key to setting the right time frame involves open communication with all affected parties, and ensuring that each group has a full understanding of exactly what responsibilities and issues over which they will retain authority.