Implement Risk-Based Vulnerability Management

Get off the patching merry-go-round and start mitigating risk!

RETIRED CONTENT

Please note that the content on this page is retired. This content is not maintained and may contain information or links that are out of date.

Without an effective vulnerability management program, organizations face:

  • Vulnerabilities going undetected and becoming exploited by attackers.
  • The list of vulnerabilities seems endless, and you don’t know where to start.
  • Your vulnerability tool reports the urgency of certain vulnerabilities to be high, but you know otherwise that they might not be as critical as what the tool is reporting.
  • You are being told that everything must be patched, however, you know that that is not possible for feasible. Patching can also break things.

Using Info-Tech’s methodology for vulnerability management, you will:

  • Develop a structured, consistent way to remediate vulnerabilities.
  • Understand the risk that certain vulnerability types pose to your organization, within the proper context of your business.
  • Gain insight around remediation methods that do not include patching, especially when patching is not possible or cannot be done in a timely fashion.
  • Develop a process that can withstand audit and makes good business sense.

Book Your Workshop

Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.

Module 1: Identify Vulnerability Sources

The Purpose

  • Establish a common understanding of vulnerability management, and define the roles, scope, and information sources of vulnerability detection.

Key Benefits Achieved

  • Attain visibility on all of the vulnerability information sources, and a common understanding of vulnerability management and its scope.

Activities: Outputs:
1.1 Define the scope & boundary of your organization’s security program.
  • Defined scope and boundaries of the IT security program
1.2 Assign responsibility for vulnerability identification and remediation.
  • Roles and responsibilities defined for member groups
1.3 Develop a monitoring and review process of third-party vulnerability sources.
  • Process for review of third-party vulnerability sources
1.4 Review incident management and vulnerability management
  • Alignment of vulnerability management program with existing incident management processes

Module 2: Triage and Prioritize

The Purpose

  • We will examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach and prepare for remediation options.

Key Benefits Achieved

  • A consistent, documented process for the evaluation of vulnerabilities in your environment.

Activities: Outputs:
2.1 Evaluate your identified vulnerabilities.
  • Adjusted workflow to reflect your current processes
2.2 Determine high-level business criticality.
  • List of business operations and their criticality and impact to the business
2.3 Determine your high-level data classifications.
  • Adjusted workflow to reflect your current processes
2.4 Document your defense-in-depth controls.
  • List of defense-in-depth controls
2.5 Build a classification scheme to consistently assess impact.
  • Vulnerability Management Risk Assessment tool formatted to your organization
2.6 Build a classification scheme to consistently assess likelihood.
  • Vulnerability Management Risk Assessment tool formatted to your organization

Module 3: Remediate Vulnerabilities

The Purpose

  • Identifying potential remediation options.
  • Developing criteria for each option in regard to when to use and when to avoid.
  • Establishing exception procedure for testing and remediation.
  • Documenting the implementation of remediation and verification.

Key Benefits Achieved

  • Identifying and selecting the remediation option to be used
  • Determining what to do when a patch or update is not available
  • Scheduling and executing the remediation activity
  • Planning continuous improvement

Activities: Outputs:
3.1 Develop risk and remediation action.
  • List of remediation options sorted into “when to use” and “when to avoid” lists

Module 4: Measure and Formalize

The Purpose

  • You will determine what ought to be measured to track the success of your vulnerability management program.
  • If you lack a scanning tool this phase will help you determine tool selection.
  • Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.

Key Benefits Achieved

  • Outline of metrics that you can then configure your vulnerability scanning tool to report on.
  • Development of an inaugural policy covering vulnerability management.
  • The provisions needed for you to create and deploy an RFP for a vulnerability management tool.
  • An understanding of penetration testing, and guidance on how to get started if there is interest to do so.

Activities: Outputs:
4.1 Measure your program with metrics, KPIs, and CSFs.
  • List of relevant metrics to track, and the KPIs, CSFs, and business goals for.
4.2 Update the vulnerability management policy.
  • Completed Vulnerability Management Policy
4.3 Create an RFP for vulnerability scanning tools.
  • Completed Request for Proposal (RFP) document that can be distributed to vendor proponents
4.4 Create an RFP for penetration tests.
  • Completed Request for Proposal (RFP) document that can be distributed to vendor proponents
Visit our Exponential IT Research Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019