Security icon

Design and Implement a Vulnerability Management Program

Know what to protect and know when you’re overprotecting.

Get Instant Access to this Blueprint

View Storyboard

Solution Set Storyboard Thumbnail


  • Arell Chapman, VP Information Technology, Gleaner Life Insurance Society
  • Dave Millier, CEO, Uzado Inc.
  • Dominica McCoy, Network Security Engineer, DTS Technology & Entertainment Solutions
  • Gerry Holmes, Director, Information Technology, Canadian Cancer Society, Ontario Division
  • James Webb, Sr. Systems Specialist, Muscogee Creek Nation Casino
  • Mark Sauer, Director, Technology Information Security & Architecture, M Financial Group
  • Morey Haber, Vice President of Technology, BeyondTrust
  • Mike Nelson, IT Security Analyst, Banner Health
  • Paul Daley, Sr. Analyst, Security Management, Toronto District School Board
  • Phaphani Boya, ICT Security Officer, Mediclinic Southern Africa Ltd.
  • Shane Adams, Director of IT Engineering, Pearl River Resort
  • Steve Kurutz, Director of Information Services, McElvain Energy, Inc.
  • 2 anonymous contributors.

Your Challenge

  • Scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.
  • Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider including the threat of the vulnerability and the potential remediation itself.
  • Further, companies are unaware of the risk implications that come from leaving vulnerabilities open, and even from some of the remediation options.

Our Advice

Critical Insight

  • Patches are often seen as the only answer to vulnerabilities, but these are not always the most suitable solution.
  • Vulnerability management does not equal patch management. It includes identifying and assessing the risk of the vulnerability, and then selecting a remediation option which goes beyond just patching alone.
  • There is more than one way to tackle the problem. Leverage your existing security controls in order to protect the organization.

Impact and Result

  • Design and implement a vulnerability management program that identifies, prioritizes, and remediates vulnerabilities.
  • Follow Info-Tech’s methodology in assigning urgencies to vulnerabilities by examining the intrinsic qualities of the vulnerability, as well as the sensitivity of the data and business criticality of the affected asset.
  • Understand what needs to be considered when implementing remediation options including patches, configuration changes, and/or defense-in-depth controls.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should design and implement a vulnerability management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Identify vulnerability sources

Begin the project by creating a vulnerability management team and determine how vulnerabilities will be identified through scanners, penetration tests, third-party sources, and incidents.

2. Triage vulnerabilities and assign urgencies

Determine how vulnerabilities will be triaged and evaluated based on intrinsic qualities and how they may compromise business functions and data sensitivity.

3. Remediate vulnerabilities

Develop a process to remediate vulnerabilities, including the identification of the appropriate remediation option.

4. Continually improve the vulnerability management process

Evolve the program continually by developing metrics and formalizing a policy.

Guided Implementations

This guided implementation is a thirteen call advisory process.

Guided Implementation #1 - Identify vulnerability sources

Call #1 - Project kick off call
Call #2 - Select a vulnerability scanning tool
Call #3 - Select penetration testing
Call #4 - Identify third-party and incident vulnerability sources

Guided Implementation #2 - Triage vulnerabilities and assign urgencies

Call #1 - Triage and evaluate the vulnerabilities
Call #2 - Define business-critical operations and data classifications
Call #3 - Finalize the urgency assignments

Guided Implementation #3 - Remediate vulnerabilities

Call #1 - Identify remediation options and establish criteria
Call #2 - Formalize backup and testing procedures
Call #3 - Remediate vulnerabilities and verify

Guided Implementation #4 - Continually improve the vulnerability management process

Call #1 - Measure the program through metrics
Call #2 - Update the vulnerability management policy
Call #3 - Re-evaluate the vulnerability management process continually

Onsite Workshop

Unlock This Blueprint

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Identify Vulnerability Sources

The Purpose

  • To develop the ways in which your organization can identify vulnerabilities

Key Benefits Achieved

  • Formalized processes and technology management to ensure effective and efficient vulnerability identification.




Build your vulnerability management team and define your program scope and boundary.

  • Established vulnerability management team and defined scope of program.

Evaluate and select vulnerability scanning tools.

  • Evaluated vulnerability scanning tool capabilities and developed RFP.

Evaluate penetration testing.

  • Assessed organization appropriateness for penetration testing and developed RFP.

Identify third-party vulnerability monitoring sources.

  • Documented schedules for monitoring of third-party vulnerability sources.

Develop a vulnerability detection incident process.

  • Defined processes to ensure incident management processes provide vulnerability information.

Module 2: Triage Vulnerabilities and Assign Urgencies

The Purpose

  • Triage vulnerabilities to understand if they are relevant to your organization.
  • Evaluate the intrinsic qualities of the vulnerabilities.
  • Determine high-level business criticalities and high-level data classifications.
  • Use these factors to build a methodology to break down the vulnerabilities into 12 different urgency levels.

Key Benefits Achieved

  • Triaging process for vulnerabilities.
  • Classifications for business critical operations, and for data classification.
  • A vulnerability evaluation process that incorporates the intrinsic aspects of the vulnerabilities, as well as how it poses a risk to the organization.




Review triaging process.

  • A process to triage vulnerabilities to understand if they are relevant.

Identify how to evaluate vulnerabilities.

  • An evaluation method of vulnerabilities, based on the risk the vulnerability itself holds.

Determine high-level business criticality.

  • Defined high-level business criticality classifications.

Determine high-level data classifications.

  • Defined high-level data classifications.

Assign urgencies to vulnerabilities.

  • An overall process to assign urgencies to the vulnerabilities.

Module 3: Remediate Vulnerabilities

The Purpose

  • Build a remediation process that takes the urgencies of the vulnerabilities and identifies the appropriate remediation option.
  • Review the different remediation options and create criteria for when to use each one.
  • Link these to your other IT processes for your backups, testing, and remediation.

Key Benefits Achieved

  • A remediation process that identifies the appropriate remediation option, conducts backups, performs tests, and then fully implements the option.
  • Established criteria for when each remediation option should be used.
  • Formalized when vulnerabilities should become part of a security incident.




Prepare formal documentation for the remediation process.

  • Documents to track vulnerabilities through remediation.

Establish defense-in-depth modelling.

  • A high-level defense-in-depth model.

Identify remediation options and criteria to use each.

  • Established criteria for when to use and when to avoid each remediation option.

Formalize the backup schedule.


Establish testing process, including exceptions.

  • Established criteria for when remediation options can be exempted from testing.

Module 4: Continually Improve the Vulnerability Management Process

The Purpose

•Ensure that the program continues to evolve as the security landscape continues to evolve.

•Determine how to measure the effectiveness of the overall program.

Key Benefits Achieved

Metrics in which to measure the overall program.

  • Continual review for when new assets and systems are introduced to the organization.
  • Update of the defense-in-depth model as security evolves.




Finalize remediation process.

  • Finalized remediation process.

Measure the program through metrics.

  • Metrics to measure the vulnerability management program as a whole and in more specific areas.

Update the vulnerability management policy.

  • A vulnerability management policy.

Re-evaluate the vulnerability management process continually.

  • Continual work with Info-Tech to ensure that the program improves and evolves.

Member Testimonials

Unlock Sample Research

After each Info-Tech experience, we ask our members to quantify the real time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this Blueprint, and what our clients have to say.




$ Saved

Days Saved

STERIS Corporation

Guided Implementation




Investors Bank

Guided Implementation




Delta Dental Plan Of Colorado

Guided Implementation




Trinidad and Tobago Unit Trust Corp

Guided Implementation




Ocean Spray Cranberries

Guided Implementation




Allegheny Technologies Inc

Guided Implementation




Swagelok Company

Guided Implementation





Guided Implementation




Donor Network West

Guided Implementation




Federal Home Loan Bank of Chicago

Guided Implementation




Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019