Security icon

Implement Risk-Based Vulnerability Management

Get off the patching merry-go-round and start mitigating risk!

Get Instant Access
to this Blueprint

Contributors

  • 2 anonymous contributors from the manufacturing sector
  • 1 anonymous contributor from a US government agency
  • 2 anonymous contributors from the financial sector
  • 1 anonymous contributor from the medical technology industry
  • 2 anonymous contributors from higher education
  • 1 anonymous contributor from a Canadian government agency
  • 7 anonymous others, information gathered from advisory calls
  • Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.
  • Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option itself.

Our Advice

Critical Insight

  • Patches are often seen as the only answer to vulnerabilities, but these are not always the most suitable solution.
  • Vulnerability management does not equal patch management. It includes identifying and assessing the risk of the vulnerability, and then selecting a remediation option which goes beyond just patching alone.
  • There is more than one way to tackle the problem. Leverage your existing security controls in order to protect the organization.

Impact and Result

  • At the conclusion of this blueprint, you will have created a full vulnerability management program that will allow you to take a risk-based approach to vulnerability remediation.
  • Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.
  • The risk-based approach will allow you prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities, while allowing your standard remediation cycle to address the medium to low vulnerabilities.
  • With your program defined and developed, you now need to configure your vulnerability scanning tool, or acquire one if you don’t already have a tool in place.
  • Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should design and implement a vulnerability management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Identify vulnerability sources

Begin the project by creating a vulnerability management team and determine how vulnerabilities will be identified through scanners, penetration tests, third-party sources, and incidents.

2. Triage vulnerabilities and assign priorities

Determine how vulnerabilities will be triaged and evaluated based on intrinsic qualities and how they may compromise business functions and data sensitivity.

3. Remediate vulnerabilities

Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available. Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.

4. Measure and formalize

Evolve the program continually by developing metrics and formalizing a policy.

Guided Implementations

This guided implementation is an eight call advisory process.

Guided Implementation #1 - Identify vulnerability sources

Call #1 - Scope requirements, objectives, and your specific challenges.
Call #2 - Discuss current state and vulnerability sources.

Guided Implementation #2 - Triage vulnerabilities and assign priorities

Call #1 - Identify triage methods and business criticality.
Call #2 - Review current defense-in-depth and discuss risk assessment.

Guided Implementation #3 - Remediate vulnerabilities

Call #1 - Discuss remediation options and scheduling.
Call #2 - Review release and change management and continuous improvement.

Guided Implementation #4 - Measure and formalize

Call #1 - Identify metrics, KPIs, and CSFs.
Call #2 - Review vulnerability management policy.

Onsite Workshop

Unlock This Blueprint

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Identify Vulnerability Sources

The Purpose

  • Establish a common understanding of vulnerability management, and define the roles, scope, and information sources of vulnerability detection.

Key Benefits Achieved

  • Attain visibility on all of the vulnerability information sources, and a common understanding of vulnerability management and its scope.

Activities

Outputs

1.1

Define the scope & boundary of your organization’s security program.

  • Defined scope and boundaries of the IT security program
1.2

Assign responsibility for vulnerability identification and remediation.

  • Roles and responsibilities defined for member groups
1.3

Develop a monitoring and review process of third-party vulnerability sources.

  • Process for review of third-party vulnerability sources
1.4

Review incident management and vulnerability management

  • Alignment of vulnerability management program with existing incident management processes

Module 2: Triage and Prioritize

The Purpose

  • We will examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach and prepare for remediation options.

Key Benefits Achieved

  • A consistent, documented process for the evaluation of vulnerabilities in your environment.

Activities

Outputs

2.1

Evaluate your identified vulnerabilities.

  • Adjusted workflow to reflect your current processes
2.2

Determine high-level business criticality.

  • List of business operations and their criticality and impact to the business
2.3

Determine your high-level data classifications.

  • Adjusted workflow to reflect your current processes
2.4

Document your defense-in-depth controls.

  • List of defense-in-depth controls
2.5

Build a classification scheme to consistently assess impact.

  • Vulnerability Management Risk Assessment tool formatted to your organization
2.6

Build a classification scheme to consistently assess likelihood.

  • Vulnerability Management Risk Assessment tool formatted to your organization

Module 3: Remediate Vulnerabilities

The Purpose

  • Identifying potential remediation options.
  • Developing criteria for each option in regard to when to use and when to avoid.
  • Establishing exception procedure for testing and remediation.
  • Documenting the implementation of remediation and verification.

Key Benefits Achieved

  • Identifying and selecting the remediation option to be used
  • Determining what to do when a patch or update is not available
  • Scheduling and executing the remediation activity
  • Planning continuous improvement

Activities

Outputs

3.1

Develop risk and remediation action.

  • List of remediation options sorted into “when to use” and “when to avoid” lists

Module 4: Measure and Formalize

The Purpose

  • You will determine what ought to be measured to track the success of your vulnerability management program.
  • If you lack a scanning tool this phase will help you determine tool selection.
  • Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.

Key Benefits Achieved

  • Outline of metrics that you can then configure your vulnerability scanning tool to report on.
  • Development of an inaugural policy covering vulnerability management.
  • The provisions needed for you to create and deploy an RFP for a vulnerability management tool.
  • An understanding of penetration testing, and guidance on how to get started if there is interest to do so.

Activities

Outputs

4.1

Measure your program with metrics, KPIs, and CSFs.

  • List of relevant metrics to track, and the KPIs, CSFs, and business goals for.
4.2

Update the vulnerability management policy.

  • Completed Vulnerability Management Policy
4.3

Create an RFP for vulnerability scanning tools.

  • Completed Request for Proposal (RFP) document that can be distributed to vendor proponents
4.4

Create an RFP for penetration tests.

  • Completed Request for Proposal (RFP) document that can be distributed to vendor proponents

Member Testimonials

Unlock Sample Research

After each Info-Tech experience, we ask our members to quantify the real time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this Blueprint, and what our clients have to say.

Client

Experience

Impact

$ Saved

Days Saved

Statistics New Zealand

Guided Implementation

10/10

$8,604

10

State of Michigan

Workshop

7/10

$12,292

10

South Carolina State Ports Authority

Guided Implementation

10/10

$63,711

20

Legal Services Corporation

Guided Implementation

9/10

N/A

N/A

Trihealth

Guided Implementation

9/10

N/A

N/A

STERIS Corporation

Guided Implementation

8/10

$63,667

50

Investors Bank

Guided Implementation

10/10

N/A

N/A

Delta Dental Plan Of Colorado

Guided Implementation

10/10

N/A

29

Trinidad and Tobago Unit Trust Corporation

Guided Implementation

8/10

N/A

N/A

Ocean Spray Cranberries

Guided Implementation

8/10

N/A

N/A

?ATI CORP

Guided Implementation

8/10

N/A

N/A

Swagelok Company

Guided Implementation

8/10

N/A

N/A

Trihealth

Guided Implementation

6/10

$6,366

5

Donor Network West

Guided Implementation

3/10

N/A

N/A

Federal Home Loan Bank of Chicago

Guided Implementation

6/10

N/A

N/A

Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019