Design and Implement a Vulnerability Management Program
Know what to protect and know when you’re overprotecting.
This content requires an active subscription.
Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.
View Storyboard
Contributors
- Arell Chapman, VP Information Technology, Gleaner Life Insurance Society
- Dave Millier, CEO, Uzado Inc.
- Dominica McCoy, Network Security Engineer, DTS Technology & Entertainment Solutions
- Gerry Holmes, Director, Information Technology, Canadian Cancer Society, Ontario Division
- James Webb, Sr. Systems Specialist, Muscogee Creek Nation Casino
- Mark Sauer, Director, Technology Information Security & Architecture, M Financial Group
- Morey Haber, Vice President of Technology, BeyondTrust
- Mike Nelson, IT Security Analyst, Banner Health
- Paul Daley, Sr. Analyst, Security Management, Toronto District School Board
- Phaphani Boya, ICT Security Officer, Mediclinic Southern Africa Ltd.
- Shane Adams, Director of IT Engineering, Pearl River Resort
- Steve Kurutz, Director of Information Services, McElvain Energy, Inc.
- 2 anonymous contributors.
Your Challenge
- Scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.
- Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider including the threat of the vulnerability and the potential remediation itself.
- Further, companies are unaware of the risk implications that come from leaving vulnerabilities open, and even from some of the remediation options.
Our Advice
Critical Insight
- Patches are often seen as the only answer to vulnerabilities, but these are not always the most suitable solution.
- Vulnerability management does not equal patch management. It includes identifying and assessing the risk of the vulnerability, and then selecting a remediation option which goes beyond just patching alone.
- There is more than one way to tackle the problem. Leverage your existing security controls in order to protect the organization.
Impact and Result
- Design and implement a vulnerability management program that identifies, prioritizes, and remediates vulnerabilities.
- Follow Info-Tech’s methodology in assigning urgencies to vulnerabilities by examining the intrinsic qualities of the vulnerability, as well as the sensitivity of the data and business criticality of the affected asset.
- Understand what needs to be considered when implementing remediation options including patches, configuration changes, and/or defense-in-depth controls.
Start here – read the Executive Brief
Read our concise Executive Brief to find out why you should design and implement a vulnerability management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.
1. Identify vulnerability sources
Begin the project by creating a vulnerability management team and determine how vulnerabilities will be identified through scanners, penetration tests, third-party sources, and incidents.
2. Triage vulnerabilities and assign urgencies
Determine how vulnerabilities will be triaged and evaluated based on intrinsic qualities and how they may compromise business functions and data sensitivity.
3. Remediate vulnerabilities
Develop a process to remediate vulnerabilities, including the identification of the appropriate remediation option.
4. Continually improve the vulnerability management process
Evolve the program continually by developing metrics and formalizing a policy.
Guided Implementations
This guided implementation is a thirteen call advisory process.
Guided Implementation #1 - Identify vulnerability sources
Call #1 - Project kick off call
Call #2 - Select a vulnerability scanning tool
Call #3 - Select penetration testing
Call #4 - Identify third-party and incident vulnerability sources
Guided Implementation #2 - Triage vulnerabilities and assign urgencies
Call #1 - Triage and evaluate the vulnerabilities
Call #2 - Define business-critical operations and data classifications
Call #3 - Finalize the urgency assignments
Guided Implementation #3 - Remediate vulnerabilities
Call #1 - Identify remediation options and establish criteria
Call #2 - Formalize backup and testing procedures
Call #3 - Remediate vulnerabilities and verify
Guided Implementation #4 - Continually improve the vulnerability management process
Call #1 - Measure the program through metrics
Call #2 - Update the vulnerability management policy
Call #3 - Re-evaluate the vulnerability management process continually
Book Your Workshop
Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Identify Vulnerability Sources
The Purpose
- To develop the ways in which your organization can identify vulnerabilities
Key Benefits Achieved
- Formalized processes and technology management to ensure effective and efficient vulnerability identification.
Activities
Outputs
Build your vulnerability management team and define your program scope and boundary.
- Established vulnerability management team and defined scope of program.
Evaluate and select vulnerability scanning tools.
- Evaluated vulnerability scanning tool capabilities and developed RFP.
Evaluate penetration testing.
- Assessed organization appropriateness for penetration testing and developed RFP.
Identify third-party vulnerability monitoring sources.
- Documented schedules for monitoring of third-party vulnerability sources.
Develop a vulnerability detection incident process.
- Defined processes to ensure incident management processes provide vulnerability information.
Module 2: Triage Vulnerabilities and Assign Urgencies
The Purpose
- Triage vulnerabilities to understand if they are relevant to your organization.
- Evaluate the intrinsic qualities of the vulnerabilities.
- Determine high-level business criticalities and high-level data classifications.
- Use these factors to build a methodology to break down the vulnerabilities into 12 different urgency levels.
Key Benefits Achieved
- Triaging process for vulnerabilities.
- Classifications for business critical operations, and for data classification.
- A vulnerability evaluation process that incorporates the intrinsic aspects of the vulnerabilities, as well as how it poses a risk to the organization.
Activities
Outputs
Review triaging process.
- A process to triage vulnerabilities to understand if they are relevant.
Identify how to evaluate vulnerabilities.
- An evaluation method of vulnerabilities, based on the risk the vulnerability itself holds.
Determine high-level business criticality.
- Defined high-level business criticality classifications.
Determine high-level data classifications.
- Defined high-level data classifications.
Assign urgencies to vulnerabilities.
- An overall process to assign urgencies to the vulnerabilities.
Module 3: Remediate Vulnerabilities
The Purpose
- Build a remediation process that takes the urgencies of the vulnerabilities and identifies the appropriate remediation option.
- Review the different remediation options and create criteria for when to use each one.
- Link these to your other IT processes for your backups, testing, and remediation.
Key Benefits Achieved
- A remediation process that identifies the appropriate remediation option, conducts backups, performs tests, and then fully implements the option.
- Established criteria for when each remediation option should be used.
- Formalized when vulnerabilities should become part of a security incident.
Activities
Outputs
Prepare formal documentation for the remediation process.
- Documents to track vulnerabilities through remediation.
Establish defense-in-depth modelling.
- A high-level defense-in-depth model.
Identify remediation options and criteria to use each.
- Established criteria for when to use and when to avoid each remediation option.
Formalize the backup schedule.
Establish testing process, including exceptions.
- Established criteria for when remediation options can be exempted from testing.
Module 4: Continually Improve the Vulnerability Management Process
The Purpose
•Ensure that the program continues to evolve as the security landscape continues to evolve.
Key Benefits Achieved
Metrics in which to measure the overall program.
- Continual review for when new assets and systems are introduced to the organization.
- Update of the defense-in-depth model as security evolves.
Activities
Outputs
Finalize remediation process.
- Finalized remediation process.
Measure the program through metrics.
- Metrics to measure the vulnerability management program as a whole and in more specific areas.
Update the vulnerability management policy.
- A vulnerability management policy.
Re-evaluate the vulnerability management process continually.
- Continual work with Info-Tech to ensure that the program improves and evolves.
