ABSTRACT

Controls may be tailored to fit the needs of the organization and controls may or may not be applicable. Government entities will have a formalized assessment and authorization process (formerly known as security certification and accreditation). However, each organization should develop a process whereby the security controls and the residual risk are approved and accepted by senior management. Risk assessments are the topic of much discussion these days and rightfully so. The risk assessment should represent a documented meeting of the minds between information security and senior management. Once the process is in place and the initial list of vulnerabilities is mitigated, the amount of time required to remove the subsequent vulnerabilities should decrease and become more manageable. Software installs should be centrally controlled for vulnerability management and license tracking. Having too many unused licenses installed costs the company money as well as the potential for fines by the software vendors for not having enough licenses.