Technology Portfolio Management (TPM) Best Practices

Overview

Every technology in the portfolio creates a security surface: a set of potential attack vectors, vulnerability exposures, and configuration risks that adversaries can exploit to compromise the organization’s systems, data, and operations. The aggregate of those security surfaces across the full Technologies Inventory family is the organization’s technology security footprint — and managing it requires assessment of each technology’s security posture, not just the highest-profile technologies or the ones that were most recently deployed. Technologies that have been in production for years without security reassessment accumulate vulnerability exposure as the threat landscape evolves, new vulnerability classes are discovered, and the technology’s security architecture becomes dated relative to current security standards.

Best Practice

Assess the security posture of every technology in the Technologies Inventory family as a standard component of the annual governance review cycle and as an event-driven obligation whenever a significant security disclosure affects a technology in the portfolio. The security posture assessment should address at minimum: the current known vulnerability profile of the technology, drawing on the NIST National Vulnerability Database and any applicable vendor security advisories; the technology’s current patch and version currency status relative to the vendor’s current security-supported release; the security architecture of the technology, including its access control model, encryption posture, network exposure, and logging and monitoring capabilities; the security configuration standards applied to the technology across all deployments in the organization, and the degree to which those standards are consistently enforced; and the security certification status of the technology, including any applicable compliance certifications such as SOC 2, ISO 27001, or FedRAMP that the organization requires of technology vendors. (Source: NIST National Vulnerability Database, nvd.nist.gov.)

Connect the security posture assessment to the Risks and Issues Inventory so that material security findings are recorded as organizational risk records with defined severity, ownership, and remediation timelines. Technology security posture should be a direct input to the Technical Fitness score in the technology assessment framework — a technology with a poor security posture cannot receive a high Technical Fitness score regardless of its other technical characteristics.

Benefit(s)

A consistent, portfolio-wide security posture assessment regime gives the organization a current, complete picture of its technology security exposure that point-in-time security assessments of individual systems cannot provide. Security vulnerabilities and configuration weaknesses are identified through a governed assessment process rather than discovered by adversaries during incidents. The security posture data connects technology governance to the enterprise security function, ensuring that technology investment and rationalization decisions are informed by security evidence and that security decisions are informed by technology portfolio intelligence.