Design and Implement a Vulnerability Management Program

Know what to protect and know when you’re overprotecting.

Unlock

This content requires an active subscription.

Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.

Speak With A Representative Sign In
or Call: 1-888-670-8889 (US) or 1-844-618-3192 (CAN)

Solution Set Storyboard thumbnail
View Storyboard

Your Challenge

  • Scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.
  • Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider including the threat of the vulnerability and the potential remediation itself.
  • Further, companies are unaware of the risk implications that come from leaving vulnerabilities open, and even from some of the remediation options.

Our Advice

Critical Insight

  • Patches are often seen as the only answer to vulnerabilities, but these are not always the most suitable solution.
  • Vulnerability management does not equal patch management. It includes identifying and assessing the risk of the vulnerability, and then selecting a remediation option which goes beyond just patching alone.
  • There is more than one way to tackle the problem. Leverage your existing security controls in order to protect the organization.

Impact and Result

  • Design and implement a vulnerability management program that identifies, prioritizes, and remediates vulnerabilities.
  • Follow Info-Tech’s methodology in assigning urgencies to vulnerabilities by examining the intrinsic qualities of the vulnerability, as well as the sensitivity of the data and business criticality of the affected asset.
  • Understand what needs to be considered when implementing remediation options including patches, configuration changes, and/or defense-in-depth controls.

Contributors

  • Arell Chapman, VP Information Technology, Gleaner Life Insurance Society
  • Dave Millier, CEO, Uzado Inc.
  • Dominica McCoy, Network Security Engineer, DTS Technology & Entertainment Solutions
  • Gerry Holmes, Director, Information Technology, Canadian Cancer Society, Ontario Division
  • James Webb, Sr. Systems Specialist, Muscogee Creek Nation Casino
  • Mark Sauer, Director, Technology Information Security & Architecture, M Financial Group
  • Morey Haber, Vice President of Technology, BeyondTrust
  • Mike Nelson, IT Security Analyst, Banner Health
  • Paul Daley, Sr. Analyst, Security Management, Toronto District School Board
  • Phaphani Boya, ICT Security Officer, Mediclinic Southern Africa Ltd.
  • Shane Adams, Director of IT Engineering, Pearl River Resort
  • Steve Kurutz, Director of Information Services, McElvain Energy, Inc.
  • 2 anonymous contributors.

Get the Complete Storyboard

See how all the steps you need to take come together, with tools and advice to help with each task on your list.

Download Now

Get to Action

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should design and implement a vulnerability management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

  1. Identify vulnerability sources

    Begin the project by creating a vulnerability management team and determine how vulnerabilities will be identified through scanners, penetration tests, third-party sources, and incidents.

  2. Triage vulnerabilities and assign urgencies

    Determine how vulnerabilities will be triaged and evaluated based on intrinsic qualities and how they may compromise business functions and data sensitivity.

  3. Remediate vulnerabilities

    Develop a process to remediate vulnerabilities, including the identification of the appropriate remediation option.

  4. Continually improve the vulnerability management process

    Evolve the program continually by developing metrics and formalizing a policy.

Guided Implementation icon Guided Implementation

This guided implementation is a thirteen call advisory process.

    Guided Implementation #1 - Identify vulnerability sources

  • Call #1: Project kick off call

  • Call #2: Select a vulnerability scanning tool

  • Call #3: Select penetration testing

  • Call #4: Identify third-party and incident vulnerability sources

    • Guided Implementation #2 - Triage vulnerabilities and assign urgencies

  • Call #1: Triage and evaluate the vulnerabilities

  • Call #2: Define business-critical operations and data classifications

  • Call #3: Finalize the urgency assignments

    • Guided Implementation #3 - Remediate vulnerabilities

  • Call #1: Identify remediation options and establish criteria

  • Call #2: Formalize backup and testing procedures

  • Call #3: Remediate vulnerabilities and verify

    • Guided Implementation #4 - Continually improve the vulnerability management process

  • Call #1: Measure the program through metrics

  • Call #2: Update the vulnerability management policy

  • Call #3: Re-evaluate the vulnerability management process continually

Schedule Your First Call

Onsite Workshop

Module 1: Identify Vulnerability Sources

The Purpose

  • To develop the ways in which your organization can identify vulnerabilities

Key Benefits Achieved

  • Formalized processes and technology management to ensure effective and efficient vulnerability identification.

Activities: Outputs:
1.1 Build your vulnerability management team and define your program scope and boundary.
  • Established vulnerability management team and defined scope of program.
1.2 Evaluate and select vulnerability scanning tools.
  • Evaluated vulnerability scanning tool capabilities and developed RFP.
1.3 Evaluate penetration testing.
  • Assessed organization appropriateness for penetration testing and developed RFP.
1.4 Identify third-party vulnerability monitoring sources.
  • Documented schedules for monitoring of third-party vulnerability sources.
1.5 Develop a vulnerability detection incident process.
  • Defined processes to ensure incident management processes provide vulnerability information.

Module 2: Triage Vulnerabilities and Assign Urgencies

The Purpose

  • Triage vulnerabilities to understand if they are relevant to your organization.
  • Evaluate the intrinsic qualities of the vulnerabilities.
  • Determine high-level business criticalities and high-level data classifications.
  • Use these factors to build a methodology to break down the vulnerabilities into 12 different urgency levels.

Key Benefits Achieved

  • Triaging process for vulnerabilities.
  • Classifications for business critical operations, and for data classification.
  • A vulnerability evaluation process that incorporates the intrinsic aspects of the vulnerabilities, as well as how it poses a risk to the organization.

Activities: Outputs:
2.1 Review triaging process.
  • A process to triage vulnerabilities to understand if they are relevant.
2.2 Identify how to evaluate vulnerabilities.
  • An evaluation method of vulnerabilities, based on the risk the vulnerability itself holds.
2.3 Determine high-level business criticality.
  • Defined high-level business criticality classifications.
2.4 Determine high-level data classifications.
  • Defined high-level data classifications.
2.5 Assign urgencies to vulnerabilities.
  • An overall process to assign urgencies to the vulnerabilities.

Module 3: Remediate Vulnerabilities

The Purpose

  • Build a remediation process that takes the urgencies of the vulnerabilities and identifies the appropriate remediation option.
  • Review the different remediation options and create criteria for when to use each one.
  • Link these to your other IT processes for your backups, testing, and remediation.

Key Benefits Achieved

  • A remediation process that identifies the appropriate remediation option, conducts backups, performs tests, and then fully implements the option.
  • Established criteria for when each remediation option should be used.
  • Formalized when vulnerabilities should become part of a security incident.

Activities: Outputs:
3.1 Prepare formal documentation for the remediation process.
  • Documents to track vulnerabilities through remediation.
3.2 Establish defense-in-depth modelling.
  • A high-level defense-in-depth model.
3.3 Identify remediation options and criteria to use each.
  • Established criteria for when to use and when to avoid each remediation option.
3.4 Formalize the backup schedule.
3.5 Establish testing process, including exceptions.
  • Established criteria for when remediation options can be exempted from testing.

Module 4: Continually Improve the Vulnerability Management Process

The Purpose

•Ensure that the program continues to evolve as the security landscape continues to evolve.

•Determine how to measure the effectiveness of the overall program.

Key Benefits Achieved

Metrics in which to measure the overall program.

  • Continual review for when new assets and systems are introduced to the organization.
  • Update of the defense-in-depth model as security evolves.

Activities: Outputs:
4.1 Finalize remediation process.
  • Finalized remediation process.
4.2 Measure the program through metrics.
  • Metrics to measure the vulnerability management program as a whole and in more specific areas.
4.3 Update the vulnerability management policy.
  • A vulnerability management policy.
4.4 Re-evaluate the vulnerability management process continually.
  • Continual work with Info-Tech to ensure that the program improves and evolves.

Workshop Icon Book Your Workshop

Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.

Book Now

Risk Management Map

GET HELP Contact Us
×
VL Methodology

Request a call, book an appointment, or live chat with one of our representatives.

Get in Touch