Implement Risk-Based Vulnerability Management
Get off the patching merry-go-round and start mitigating risk!
Onsite Workshop
Without an effective vulnerability management program, organizations face:
- Vulnerabilities going undetected and becoming exploited by attackers.
- The list of vulnerabilities seems endless, and you don’t know where to start.
- Your vulnerability tool reports the urgency of certain vulnerabilities to be high, but you know otherwise that they might not be as critical as what the tool is reporting.
- You are being told that everything must be patched, however, you know that that is not possible for feasible. Patching can also break things.
Using Info-Tech’s methodology for vulnerability management, you will:
- Develop a structured, consistent way to remediate vulnerabilities.
- Understand the risk that certain vulnerability types pose to your organization, within the proper context of your business.
- Gain insight around remediation methods that do not include patching, especially when patching is not possible or cannot be done in a timely fashion.
- Develop a process that can withstand audit and makes good business sense.
Module 1: Identify Vulnerability Sources
The Purpose
- Establish a common understanding of vulnerability management, and define the roles, scope, and information sources of vulnerability detection.
Key Benefits Achieved
- Attain
visibility on all of the vulnerability information sources, and a common
understanding of vulnerability management and its scope.
Activities: | Outputs: | |
---|---|---|
1.1 | Define the scope & boundary of your organization’s security program. |
|
1.2 | Assign responsibility for vulnerability identification and remediation. |
|
1.3 | Develop a monitoring and review process of third-party vulnerability sources. |
|
1.4 | Review incident management and vulnerability management |
|
Module 2: Triage and Prioritize
The Purpose
- We will examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach and prepare for remediation options.
Key Benefits Achieved
- A consistent, documented process for the evaluation of vulnerabilities in your environment.
Activities: | Outputs: | |
---|---|---|
2.1 | Evaluate your identified vulnerabilities. |
|
2.2 | Determine high-level business criticality. |
|
2.3 | Determine your high-level data classifications. |
|
2.4 | Document your defense-in-depth controls. |
|
2.5 | Build a classification scheme to consistently assess impact. |
|
2.6 | Build a classification scheme to consistently assess likelihood. |
|
Module 3: Remediate Vulnerabilities
The Purpose
- Identifying potential remediation options.
- Developing criteria for each option in regard to when to use and when to avoid.
- Establishing exception procedure for testing and remediation.
- Documenting the implementation of remediation and verification.
Key Benefits Achieved
- Identifying and selecting the remediation option to be used
- Determining what to do when a patch or update is not available
- Scheduling and executing the remediation activity
- Planning continuous improvement
Activities: | Outputs: | |
---|---|---|
3.1 | Develop risk and remediation action. |
|
Module 4: Measure and Formalize
The Purpose
- You will determine what ought to be measured to track the success of your vulnerability management program.
- If you lack a scanning tool this phase will help you determine tool selection.
- Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.
Key Benefits Achieved
- Outline of metrics that you can then configure your vulnerability scanning tool to report on.
- Development of an inaugural policy covering vulnerability management.
- The provisions needed for you to create and deploy an RFP for a vulnerability management tool.
- An understanding of penetration testing, and guidance on how to get started if there is interest to do so.
Activities: | Outputs: | |
---|---|---|
4.1 | Measure your program with metrics, KPIs, and CSFs. |
|
4.2 | Update the vulnerability management policy. |
|
4.3 | Create an RFP for vulnerability scanning tools. |
|
4.4 | Create an RFP for penetration tests. |
|