CySA+ Domain #5: Vulnerability Management Process - Security Boulevard

SBN CySA+ Domain #5: Vulnerability Management Process


Vulnerability management is an essential aspect of cybersecurity analysis. After all, tracking down, identifying and resolving vulnerabilities is something that cybersecurity analysts do on a near-daily basis. 

This article will detail the vulnerability management process that will appear on the CompTIA CySA+ certification exam. It will guide you through this relatively straightforward, albeit still important, domain of knowledge. 

DevOps Experience

Vulnerability management process at a glance

The vulnerability management process, as reflected in CySA+ objective 2.1, is the following:

  1. Identification of requirements
  2. Establish scanning frequency
  3. Configure tools to perform scans according to specification
  4. Execute scanning
  5. Generate reports
  6. Remediation
  7. Ongoing scanning and continuous monitoring (Please note: As this step is basically a rehash of previous steps, it does not need to be covered in depth)

Identification of requirements

Regulatory environment

Knowing what your organization is trying to achieve is key to creating a vulnerability management process. Regulatory bodies are the first requirements looked at, and it is necessary to know which ones apply to your organization. You may need to consider: 

  • Health Insurance Portability and Accountability Act (HIPAA): This applies to organizations that deal with Protected Health Information, or PHI
  • Payment Card Industry Data Security Standard (PCI-DSS): Protects credit card information and governs how it is exchanged between parties (merchants, processors and financial institutions)
  • Sarbanes-Oxley (SOX): Establishes standards for maintaining accurate and secure financial records for publicly traded companies

Other factors affecting the identification of requirements are:

  • Corporate policy: Can establish what vulnerabilities are acceptable, exceptions to general security posture and how different classification of data are handled
  • Inventory of protected assets: Lays out which, if any, assets have different technical controls than others. More-critical assets have tighter controls than less-critical assets

Establish scanning frequency

Organizations must perform scans repeatedly. The frequency that scans must be run is determined (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at:

Techstrong Group