Design and Implement a Vulnerability Management Program

Know what to protect and know when you’re overprotecting.

Onsite Workshop

Without an effective vulnerability management program, organizations face:

  • Vulnerabilities going undetected and becoming exploited by attackers.
  • The list of vulnerabilities continuing to grow, without an understanding of which are most urgent and which need to be prioritized first.
  • Having an unclear remediation process, including determining what is the appropriate remediation option.

Using Info-Tech’s methodology for vulnerability management, you will:

  • Identify vulnerability sources from a variety of means, including scanning tools, penetration tests, and third-party sources.
  • Develop a process in which to assign urgencies to your vulnerabilities.
  • Create a remediation process that identifies appropriate remediation options for the vulnerabilities.
  • Continually evolve your vulnerability management program to optimal levels.

Module 1: Identify Vulnerability Sources

The Purpose

  • To develop the ways in which your organization can identify vulnerabilities

Key Benefits Achieved

  • Formalized processes and technology management to ensure effective and efficient vulnerability identification.

Activities: Outputs:
1.1 Build your vulnerability management team and define your program scope and boundary.
  • Established vulnerability management team and defined scope of program.
1.2 Evaluate and select vulnerability scanning tools.
  • Evaluated vulnerability scanning tool capabilities and developed RFP.
1.3 Evaluate penetration testing.
  • Assessed organization appropriateness for penetration testing and developed RFP.
1.4 Identify third-party vulnerability monitoring sources.
  • Documented schedules for monitoring of third-party vulnerability sources.
1.5 Develop a vulnerability detection incident process.
  • Defined processes to ensure incident management processes provide vulnerability information.

Module 2: Triage Vulnerabilities and Assign Urgencies

The Purpose

  • Triage vulnerabilities to understand if they are relevant to your organization.
  • Evaluate the intrinsic qualities of the vulnerabilities.
  • Determine high-level business criticalities and high-level data classifications.
  • Use these factors to build a methodology to break down the vulnerabilities into 12 different urgency levels.

Key Benefits Achieved

  • Triaging process for vulnerabilities.
  • Classifications for business critical operations, and for data classification.
  • A vulnerability evaluation process that incorporates the intrinsic aspects of the vulnerabilities, as well as how it poses a risk to the organization.

Activities: Outputs:
2.1 Review triaging process.
  • A process to triage vulnerabilities to understand if they are relevant.
2.2 Identify how to evaluate vulnerabilities.
  • An evaluation method of vulnerabilities, based on the risk the vulnerability itself holds.
2.3 Determine high-level business criticality.
  • Defined high-level business criticality classifications.
2.4 Determine high-level data classifications.
  • Defined high-level data classifications.
2.5 Assign urgencies to vulnerabilities.
  • An overall process to assign urgencies to the vulnerabilities.

Module 3: Remediate Vulnerabilities

The Purpose

  • Build a remediation process that takes the urgencies of the vulnerabilities and identifies the appropriate remediation option.
  • Review the different remediation options and create criteria for when to use each one.
  • Link these to your other IT processes for your backups, testing, and remediation.

Key Benefits Achieved

  • A remediation process that identifies the appropriate remediation option, conducts backups, performs tests, and then fully implements the option.
  • Established criteria for when each remediation option should be used.
  • Formalized when vulnerabilities should become part of a security incident.

Activities: Outputs:
3.1 Prepare formal documentation for the remediation process.
  • Documents to track vulnerabilities through remediation.
3.2 Establish defense-in-depth modelling.
  • A high-level defense-in-depth model.
3.3 Identify remediation options and criteria to use each.
  • Established criteria for when to use and when to avoid each remediation option.
3.4 Formalize the backup schedule.
3.5 Establish testing process, including exceptions.
  • Established criteria for when remediation options can be exempted from testing.

Module 4: Continually Improve the Vulnerability Management Process

The Purpose

•Ensure that the program continues to evolve as the security landscape continues to evolve.

•Determine how to measure the effectiveness of the overall program.

Key Benefits Achieved

Metrics in which to measure the overall program.

  • Continual review for when new assets and systems are introduced to the organization.
  • Update of the defense-in-depth model as security evolves.

Activities: Outputs:
4.1 Finalize remediation process.
  • Finalized remediation process.
4.2 Measure the program through metrics.
  • Metrics to measure the vulnerability management program as a whole and in more specific areas.
4.3 Update the vulnerability management policy.
  • A vulnerability management policy.
4.4 Re-evaluate the vulnerability management process continually.
  • Continual work with Info-Tech to ensure that the program improves and evolves.

Workshop icon Book Your Workshop

Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.

Book a Workshop View Blueprint
GET HELP Contact Us
VL Methodology