The path is starting to get steeper now as we climb to ML2. It is time to start defining a vulnerability management program with objectives and goals. This program is expected to grow and evolve over time as the organization grows and evolves.
Document the requirements
Start by documenting what is in place now and what objections the organization is trying to reach.
Define the stakeholders
The stakeholders should come from multiple departments within the organization. For example, you will need buy-in from:
- Executive and Senior management
- Security and/or Compliance teams
- Critical service and system owners
Obtain business priority endorsement
For the program to be successful, senior management must endorse and fund it as a business priority. There will be personnel and budget costs to implement and run the program, so these resources need to be allocated. If the program is not a well-funded priority for the organization, the likelihood of failure is high.
Questions to ask
The vulnerability management process should start by answering some basic questions:
1. What are the roles and responsibilities?
- Who runs the tool(s) used to find vulnerabilities?
- Who is responsible for the remediation of any vulnerabilities that are found?
2. How often will assets be evaluated?
3. How and when are the results being communicated?
4. What are the standard remediation timelines?
5. How are exceptions handled?
6. How is success measured?
7. What metrics will be tracked to make sure the program is working?
- When are the metrics being reviewed?
- Who is the owner for each metric?
Starting a program from scratch may seem like a daunting task, but your security vendors should be ready (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Lamar Bailey. Read the original post at: https://www.tripwire.com/state-of-security/vulnerability-management/climbing-vulnerability-management-mountain-reaching-ml2/