- Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.
- Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option itself.
Our Advice
Critical Insight
- Patches are often seen as the only answer to vulnerabilities, but these are not always the most suitable solution.
- Vulnerability management does not equal patch management. It includes identifying and assessing the risk of the vulnerability, and then selecting a remediation option which goes beyond just patching alone.
- There is more than one way to tackle the problem. Leverage your existing security controls in order to protect the organization.
Impact and Result
- At the conclusion of this blueprint, you will have created a full vulnerability management program that will allow you to take a risk-based approach to vulnerability remediation.
- Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.
- The risk-based approach will allow you prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities, while allowing your standard remediation cycle to address the medium to low vulnerabilities.
- With your program defined and developed, you now need to configure your vulnerability scanning tool, or acquire one if you don’t already have a tool in place.
- Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
9.4/10
Overall Impact
$123,394
Average $ Saved
31
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
Peel Regional Police
Guided Implementation
9/10
$5,000
10
Yolo County
Guided Implementation
9/10
$18,849
18
City of Atlanta / Atlanta Information Management (AIM)
Guided Implementation
10/10
N/A
20
Girl Guides of Canada
Guided Implementation
10/10
N/A
10
Noramco, LLC
Guided Implementation
10/10
$32,499
60
the experience was absolutely great. Mr Sooknanan experience and approaches are exceptional.
California Natural Resources Agency
Guided Implementation
10/10
N/A
32
Shastri proves to be a valuable asset to any conversation I've been apart of with him. He is knowledgeable and provides useful insights and recomme... Read More
Texas Mutual Insurance Company
Workshop
10/10
$12,999
16
Michel did an amazing job of uniting our team on topics that we were not aligned on previously. His execution style was pronominal. Feedback from... Read More
Farm Credit Southeast Missouri
Guided Implementation
9/10
$2,339
2
Virginia Department of Taxation
Workshop
9/10
$2,469
N/A
The engagement and information were great.
Marshall University
Guided Implementation
9/10
$12,999
32
Shastri is a great analyst to work with as he had prior experience in IT Vulnerability management. It took our team a little bit of time to wrap ou... Read More
British Columbia Institute of Technology
Guided Implementation
9/10
$900K
110
I have not really seen any worst part in the engagement, rather I think it has actually enhanced my vulnerability skills, and exposed me to a more... Read More
Franciscan Missionaries of Our Lady Health System
Workshop
9/10
N/A
32
The information shared by our presenter Shastri Sooknana is terrific. He did a great job of understanding our current state and what we were hopin... Read More
Statistics New Zealand
Guided Implementation
10/10
$8,679
10
State of Michigan
Workshop
7/10
$12,399
10
I was hoping for more ways to approach the ideas provided, but in an automated process.
South Carolina State Ports Authority
Guided Implementation
10/10
$60,319
20
Best? Validating we're on the right path for most of our preliminary work and thought provoking for a few of the more granular parts of the process... Read More
Legal Services Corporation
Guided Implementation
9/10
N/A
N/A
Trihealth
Guided Implementation
9/10
N/A
N/A
STERIS Corporation
Guided Implementation
8/10
$62,999
50
The best part of the experience so far is the vast knowledge I am able to gain through the InfoTech resources. Also, with how knowledgeable all of ... Read More
Investors Bank
Guided Implementation
10/10
N/A
N/A
I haven't received the actual feedback, but from the discussion we had, i am confident the material and feedback is going to improve and help matur... Read More
Delta Dental Plan Of Colorado
Guided Implementation
10/10
N/A
29
Aaron was very easy to work with and provided a lot of valuable information. Did not have any worst part Aaron did a great job.
Trinidad and Tobago Unit Trust Corporation
Guided Implementation
8/10
N/A
N/A
Ocean Spray Cranberries
Guided Implementation
8/10
N/A
N/A
Workshop: Implement Risk-Based Vulnerability Management
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Identify Vulnerability Sources
The Purpose
- Establish a common understanding of vulnerability management, and define the roles, scope, and information sources of vulnerability detection.
Key Benefits Achieved
- Attain
visibility on all of the vulnerability information sources, and a common
understanding of vulnerability management and its scope.
Activities
Outputs
Define the scope & boundary of your organization’s security program.
- Defined scope and boundaries of the IT security program
Assign responsibility for vulnerability identification and remediation.
- Roles and responsibilities defined for member groups
Develop a monitoring and review process of third-party vulnerability sources.
- Process for review of third-party vulnerability sources
Review incident management and vulnerability management
- Alignment of vulnerability management program with existing incident management processes
Module 2: Triage and Prioritize
The Purpose
- We will examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach and prepare for remediation options.
Key Benefits Achieved
- A consistent, documented process for the evaluation of vulnerabilities in your environment.
Activities
Outputs
Evaluate your identified vulnerabilities.
- Adjusted workflow to reflect your current processes
Determine high-level business criticality.
- List of business operations and their criticality and impact to the business
Determine your high-level data classifications.
- Adjusted workflow to reflect your current processes
Document your defense-in-depth controls.
- List of defense-in-depth controls
Build a classification scheme to consistently assess impact.
- Vulnerability Management Risk Assessment tool formatted to your organization
Build a classification scheme to consistently assess likelihood.
- Vulnerability Management Risk Assessment tool formatted to your organization
Module 3: Remediate Vulnerabilities
The Purpose
- Identifying potential remediation options.
- Developing criteria for each option in regard to when to use and when to avoid.
- Establishing exception procedure for testing and remediation.
- Documenting the implementation of remediation and verification.
Key Benefits Achieved
- Identifying and selecting the remediation option to be used
- Determining what to do when a patch or update is not available
- Scheduling and executing the remediation activity
- Planning continuous improvement
Activities
Outputs
Develop risk and remediation action.
- List of remediation options sorted into “when to use” and “when to avoid” lists
Module 4: Measure and Formalize
The Purpose
- You will determine what ought to be measured to track the success of your vulnerability management program.
- If you lack a scanning tool this phase will help you determine tool selection.
- Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.
Key Benefits Achieved
- Outline of metrics that you can then configure your vulnerability scanning tool to report on.
- Development of an inaugural policy covering vulnerability management.
- The provisions needed for you to create and deploy an RFP for a vulnerability management tool.
- An understanding of penetration testing, and guidance on how to get started if there is interest to do so.
Activities
Outputs
Measure your program with metrics, KPIs, and CSFs.
- List of relevant metrics to track, and the KPIs, CSFs, and business goals for.
Update the vulnerability management policy.
- Completed Vulnerability Management Policy
Create an RFP for vulnerability scanning tools.
- Completed Request for Proposal (RFP) document that can be distributed to vendor proponents
Create an RFP for penetration tests.
- Completed Request for Proposal (RFP) document that can be distributed to vendor proponents