Critical vulnerabilities are being discovered and exploited faster than ever before. When a major vulnerability is announced, organizations often have limited time to assess risk and take action.
Service owners and administrators should be able to answer the following questions:
- What systems, applications, services, and third-party components does my service depend on?
- Who is responsible for maintaining each layer of the technology stack, including the operating system, web server, database, application runtime, middleware, and application itself?
- How will we determine whether a newly disclosed vulnerability affects our environment?
- Can we perform emergency maintenance or patching outside of normal maintenance windows if necessary?
- Do we have documented backup, recovery, and rollback procedures?
- Are support contacts, escalation paths, and operational responsibilities documented and current?
- If a critical vulnerability were announced today, how quickly could we assess the impact and respond?
If any of these questions are difficult to answer, consider reviewing your documentation, clarifying ownership responsibilities, and validating recovery procedures before the next critical vulnerability requires immediate action.