In the “wild west” days of tech, IT systems were built like buildings with no doors or locks. Companies used a break-fix approach to running their IT. This model is broken. No one would ever consider building a building without doors and locks. No one would consider managing a building without a plan to check the doors and locks regularly. The same principle applies to your IT. Doors and locks must be built into IT systems, and they need to be checked regularly.
At CRAG, we think you have enough to do running your business. Let us worry about your IT vulnerabilities. We take a security-first approach to your IT systems. We check to ensure doors and locks are installed. We monitor your systems to ensure the doors and locks work. We recommend security improvements over time. The modern threat landscape requires this approach. Our vulnerability management approach occurs in two phases: Risk Assessment and Risk Remediation. Each phase can be purchased separately.
A vulnerability management policy defines the process for identifying and remediating vulnerabilities in your data infrastructure. The policy requires identifying all the hardware and software running on the network. Service level agreements with existing vendors are obtained and verified. The policy also defines the process of scanning, prioritizing, remediating, and verifying that vulnerabilities are remediated.
If you need to be compliant with laws such as HIPAA and AWIA or standards such as PCI DSS, we ensure that the hardware and software we provide is compliant with these requirements. We obtain agreements from software and hardware manufacturers to support compliance. We provide our service-level agreement in writing to support compliance too.
Asset management must include a hardware inventory and software inventory—scanning the network to determine what devices are connected and what software they are running. New exploits for hardware and software are continuously discovered, and these vulnerabilities need to be patched regularly. This starts with knowing what’s on your network.