Cyber threats arise from vulnerabilities in the ICT infrastructure, applications and/or in the organization of business activities. They can undermine the effective protection of company activities and of company and personal data. Ultimately, these vulnerabilities can threaten the continuity of business operations and even shut down a company. The causes of the vulnerabilities can lie in, for example, the complexity of the digital systems, the lack of “security by design”, incorrect implementation and/or insufficient testing. The causes can also lie with chain partners who supply products, applications and services to the company.
Sharing research results
A vulnerability can be noticed by an unknown researcher. If this researcher is in good faith, he will be happy to share the research results with the company. It is important to properly handle the investigator/reporter and the report to prevent the information from falling into unwanted hands before the company can fix the vulnerability.
With a Coordinated Vulnerability Disclosure (CVD) policy, a company can arrange that vulnerabilities identified outside the company are handled in a controlled manner (under your direction). The policy specifies frameworks for documenting and analyzing these vulnerabilities and for quickly resolving them by taking appropriate measures. As a result, the consequences for business operations are limited. On the website, the company states in a CVD Policy how vulnerabilities can be reported and under what conditions.
Embedding in your own organization
Before a company can go public with a CVD Statement, CVD must first be set up in its own organization. After all, promising a researcher to work according to agreements and then not fulfilling them can have the opposite effect, causing the researcher to take other paths to exploit the vulnerability.
How can we help you?
Do you have questions about organizing, implementing or expanding your Coordinated Vulnerability Disclosure (CVD)? Our service owner, Caroline Willemse AA RE RFG or her colleagues, would be happy to discuss your specific case.
A company has to make choices about how it wants to organize CVD. If there is little knowledge and/or capacity available, it can be decided to outsource the process. You can also opt for partial outsourcing and supplementing your own knowledge through training.
We can support you with:
- Supporting the preparation of a business case to explore possibilities and make informed decisions;
- Drawing up an internal CVD policy and an external CVD policy;
- Developing roles, tasks and powers;
- Drawing up a procedure to handle a report properly and in a timely manner, including documentation and reporting;
- Making agreements with experts to be available on demand when dealing with a vulnerability such as technical IT knowledge and legal knowledge;
- Training employees to perform roles; and
- Maintaining contact with the reporter.
Every IT-driven product or service has vulnerabilities. Sometimes researchers identify vulnerabilities and report them to the company; sometimes cyber criminals take advantage of the vulnerability to extort the company.
Resilience to vulnerabilities in IT products and services increases if a company knows the IT-driven products and services and the organization is open to accepting vulnerabilities and taking decisive measures.
By supplementing the measures with thorough testing of implemented systems and preparing for incidents, unpleasant situations can be limited.
Most companies use cloud service providers to support business processes with IT products and services that effectively organize business operations. Most cloud services, the company offers a range of professional controls targeting, for example, the NIST CyberSecurity Framework Core, April, 2018.
MYOBI Trust Network adds to this NIST framework the management of vulnerabilities in company IT products and services identified by researchers; a Coordinated Vulnerability Disclosure.