Design and Implement a Vulnerability Management Program
Know what to protect and know when you’re overprotecting.
Onsite Workshop
Without an effective vulnerability management program, organizations face:
- Vulnerabilities going undetected and becoming exploited by attackers.
- The list of vulnerabilities continuing to grow, without an understanding of which are most urgent and which need to be prioritized first.
- Having an unclear remediation process, including determining what is the appropriate remediation option.
Using Info-Tech’s methodology for vulnerability management, you will:
- Identify vulnerability sources from a variety of means, including scanning tools, penetration tests, and third-party sources.
- Develop a process in which to assign urgencies to your vulnerabilities.
- Create a remediation process that identifies appropriate remediation options for the vulnerabilities.
- Continually evolve your vulnerability management program to optimal levels.
Module 1: Identify Vulnerability Sources
The Purpose
- To develop the ways in which your organization can identify vulnerabilities
Key Benefits Achieved
- Formalized processes and technology management to ensure effective and efficient vulnerability identification.
Activities: | Outputs: | |
---|---|---|
1.1 | Build your vulnerability management team and define your program scope and boundary. |
|
1.2 | Evaluate and select vulnerability scanning tools. |
|
1.3 | Evaluate penetration testing. |
|
1.4 | Identify third-party vulnerability monitoring sources. |
|
1.5 | Develop a vulnerability detection incident process. |
|
Module 2: Triage Vulnerabilities and Assign Urgencies
The Purpose
- Triage vulnerabilities to understand if they are relevant to your organization.
- Evaluate the intrinsic qualities of the vulnerabilities.
- Determine high-level business criticalities and high-level data classifications.
- Use these factors to build a methodology to break down the vulnerabilities into 12 different urgency levels.
Key Benefits Achieved
- Triaging process for vulnerabilities.
- Classifications for business critical operations, and for data classification.
- A vulnerability evaluation process that incorporates the intrinsic aspects of the vulnerabilities, as well as how it poses a risk to the organization.
Activities: | Outputs: | |
---|---|---|
2.1 | Review triaging process. |
|
2.2 | Identify how to evaluate vulnerabilities. |
|
2.3 | Determine high-level business criticality. |
|
2.4 | Determine high-level data classifications. |
|
2.5 | Assign urgencies to vulnerabilities. |
|
Module 3: Remediate Vulnerabilities
The Purpose
- Build a remediation process that takes the urgencies of the vulnerabilities and identifies the appropriate remediation option.
- Review the different remediation options and create criteria for when to use each one.
- Link these to your other IT processes for your backups, testing, and remediation.
Key Benefits Achieved
- A remediation process that identifies the appropriate remediation option, conducts backups, performs tests, and then fully implements the option.
- Established criteria for when each remediation option should be used.
- Formalized when vulnerabilities should become part of a security incident.
Activities: | Outputs: | |
---|---|---|
3.1 | Prepare formal documentation for the remediation process. |
|
3.2 | Establish defense-in-depth modelling. |
|
3.3 | Identify remediation options and criteria to use each. |
|
3.4 | Formalize the backup schedule. |
|
3.5 | Establish testing process, including exceptions. |
|
Module 4: Continually Improve the Vulnerability Management Process
The Purpose
•Ensure that the program continues to evolve as the security landscape continues to evolve.
•Determine how to measure the effectiveness of the overall program.
Key Benefits Achieved
Metrics in which to measure the overall program.
- Continual review for when new assets and systems are introduced to the organization.
- Update of the defense-in-depth model as security evolves.
Activities: | Outputs: | |
---|---|---|
4.1 | Finalize remediation process. |
|
4.2 | Measure the program through metrics. |
|
4.3 | Update the vulnerability management policy. |
|
4.4 | Re-evaluate the vulnerability management process continually. |
|