Implement Risk-Based Vulnerability Management
Get off the patching merry-go-round and start mitigating risk!
Book This Workshop
Without an effective vulnerability management program, organizations face:
- Vulnerabilities going undetected and becoming exploited by attackers.
- The list of vulnerabilities seems endless, and you don’t know where to start.
- Your vulnerability tool reports the urgency of certain vulnerabilities to be high, but you know otherwise that they might not be as critical as what the tool is reporting.
- You are being told that everything must be patched, however, you know that that is not possible for feasible. Patching can also break things.
Using Info-Tech’s methodology for vulnerability management, you will:
- Develop a structured, consistent way to remediate vulnerabilities.
- Understand the risk that certain vulnerability types pose to your organization, within the proper context of your business.
- Gain insight around remediation methods that do not include patching, especially when patching is not possible or cannot be done in a timely fashion.
- Develop a process that can withstand audit and makes good business sense.
Book Your Workshop
Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.
Book NowModule 1: Identify Vulnerability Sources
The Purpose
- Establish a common understanding of vulnerability management, and define the roles, scope, and information sources of vulnerability detection.
Key Benefits Achieved
- Attain
visibility on all of the vulnerability information sources, and a common
understanding of vulnerability management and its scope.
| Activities: | Outputs: | |
|---|---|---|
| 1.1 | Define the scope & boundary of your organization’s security program. |
|
| 1.2 | Assign responsibility for vulnerability identification and remediation. |
|
| 1.3 | Develop a monitoring and review process of third-party vulnerability sources. |
|
| 1.4 | Review incident management and vulnerability management |
|
Module 2: Triage and Prioritize
The Purpose
- We will examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach and prepare for remediation options.
Key Benefits Achieved
- A consistent, documented process for the evaluation of vulnerabilities in your environment.
| Activities: | Outputs: | |
|---|---|---|
| 2.1 | Evaluate your identified vulnerabilities. |
|
| 2.2 | Determine high-level business criticality. |
|
| 2.3 | Determine your high-level data classifications. |
|
| 2.4 | Document your defense-in-depth controls. |
|
| 2.5 | Build a classification scheme to consistently assess impact. |
|
| 2.6 | Build a classification scheme to consistently assess likelihood. |
|
Module 3: Remediate Vulnerabilities
The Purpose
- Identifying potential remediation options.
- Developing criteria for each option in regard to when to use and when to avoid.
- Establishing exception procedure for testing and remediation.
- Documenting the implementation of remediation and verification.
Key Benefits Achieved
- Identifying and selecting the remediation option to be used
- Determining what to do when a patch or update is not available
- Scheduling and executing the remediation activity
- Planning continuous improvement
| Activities: | Outputs: | |
|---|---|---|
| 3.1 | Develop risk and remediation action. |
|
Module 4: Measure and Formalize
The Purpose
- You will determine what ought to be measured to track the success of your vulnerability management program.
- If you lack a scanning tool this phase will help you determine tool selection.
- Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.
Key Benefits Achieved
- Outline of metrics that you can then configure your vulnerability scanning tool to report on.
- Development of an inaugural policy covering vulnerability management.
- The provisions needed for you to create and deploy an RFP for a vulnerability management tool.
- An understanding of penetration testing, and guidance on how to get started if there is interest to do so.
| Activities: | Outputs: | |
|---|---|---|
| 4.1 | Measure your program with metrics, KPIs, and CSFs. |
|
| 4.2 | Update the vulnerability management policy. |
|
| 4.3 | Create an RFP for vulnerability scanning tools. |
|
| 4.4 | Create an RFP for penetration tests. |
|