10-Step Security and Vulnerability Assessment Plan
Use this plan to ensure your information system controls are correctly implemented.
When it comes to IT system weak spots, having a standard set of names to identify them can mean the difference between a quick, coordinated remediation and a disorganized, time-consuming work stoppage.
The goal of a vulnerability naming scheme is to give standardized, "friendly" names to common IT system weaknesses, such as "security configuration issue" or "operating system software flaw," so that organizational system security management tools (vulnerability and patch management software, vulnerability assessment tools, anti-virus software and intrusion detection systems) reference such weaknesses the same way so that they are interoperable. Interoperability among these tools lessens the risk of delays and inconsistencies in vulnerability assessment, reporting, decision-making and remediation.
The National Institute of Standards and Technology has provided a guide to two common types of vulnerability naming schemes: Common Vulnerabilities and Exposures (CVE), and Common Configuration Enumeration (CCE). Use the recommendations and information in this guide to implement a naming scheme in your organization so you can quickly and consistently identify system weaknesses and hunt down remediation information should a problem arise.