Laws, Regulations & Policy
Laws, regulations, policies, standards, practices and procedures all establish requirements as to the level of controls that should be in place for a specific risk. In effect, a law such as a 55 mile/hour speed limit, states the maximum level of risk that the government will accept. Similarly, a policy states the maximum level of risk that a business will accept. A policy may state that all static passwords must be eight characters long. In effect, the business is stating that a seven character password creates too much risk, while an eight character or greater password meets the minimum risk requirement.
If a business fails to comply with a requirement in a law, policy or procedure, it has created a vulnerability. The seven character password is a defect or weakness that must be remediated. The vulnerability should then be assessed in terms of the access required to exploit the vulnerability and the additional privilege that a successful exploitation grants the attacking entity. For example, a weak password on a read-only Guest account is likely less of a vulnerability than a weak password on the system administrator account. The challenge often is that even a read-only account may pose a significant risk, if the data is highly sensitive or proprietary. As a result, prioritizing the response to the vulnerability may be difficult and it may be advisable to strive for the complete removal of the vulnerability.
©2009 ISRMC, LLC