Implement Risk-Based Vulnerability Management

Get off the patching merry-go-round and start mitigating risk!
 Join Now

If you're already a member, click here to log in.

Major Business Pain Points

  • Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.
  • Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option itself.
Implement Risk-Based Vulnerability Management-Pain Points

Recommendations

Key Points

  • Patches are often seen as the only answer to vulnerabilities, but these are not always the most suitable solution.
  • Vulnerability management does not equal patch management. It includes identifying and assessing the risk of the vulnerability, and then selecting a remediation option which goes beyond just patching alone.
  • There is more than one way to tackle the problem. Leverage your existing security controls in order to protect the organization.

Approach

Implement Risk-Based Vulnerability Management-Recommendations
  • At the conclusion of this blueprint, you will have created a full vulnerability management program that will allow you to take a risk-based approach to vulnerability remediation.
  • Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.
  • The risk-based approach will allow you prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities, while allowing your standard remediation cycle to address the medium to low vulnerabilities.
  • With your program defined and developed, you now need to configure your vulnerability scanning tool, or acquire one if you don’t already have a tool in place.
  • Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.
 Subscribe to Premium

Methodology and Tools

Executive Brief

Read our concise Executive Brief to find out why you should design and implement a vulnerability management program, review the methodology, and understand the four ways we can support you in completing this project.

  • Implement Risk-Based Vulnerability Management – Executive Brief
  • Implement Risk-Based Vulnerability Management – Phases 1-4

1. Identify vulnerability sources

Begin the project by creating a vulnerability management team and determine how vulnerabilities will be identified through scanners, penetration tests, third-party sources, and incidents.

  • Vulnerability Management SOP Template

2. Triage vulnerabilities and assign priorities

Determine how vulnerabilities will be triaged and evaluated based on intrinsic qualities and how they may compromise business functions and data sensitivity.

  • Vulnerability Tracking Tool
  • Vulnerability Management Risk Assessment Tool

Vulnerability Management Workflow (Visio)

  • Vulnerability Management Workflow (PDF)

3. Remediate vulnerabilities

Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available. Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.

4. Measure and formalize

Evolve the program continually by developing metrics and formalizing a policy.

  • Vulnerability Management Policy
  • Vulnerability Scanning Tool RFP Template
  • Penetration Test RFP Template

    All resources on this page are provided to Cyber Leadership Hub members under license from third parties including Info-Tech Research Group Inc, a global leader in providing IT research and advice.