The path is starting to get steeper now as we climb to ML2. It is time to start defining a vulnerability management program with objectives and goals. This program is expected to grow and evolve over time as the organization grows and evolves.

Document the requirements

Start by documenting what is in place now and what objections the organization is trying to reach.

Define the stakeholders

The stakeholders should come from multiple departments within the organization. For example, you will need buy-in from:

  • IT
  • Executive and Senior management
  • Legal
  • Security and/or Compliance teams
  • Critical service and system owners

Obtain business priority endorsement

For the program to be successful, senior management must endorse and fund it as a business priority. There will be personnel and budget costs to implement and run the program, so these resources need to be allocated. If the program is not a well-funded priority for the organization, the likelihood of failure is high.

Questions to ask

The vulnerability management process should start by answering some basic questions:

1. What are the roles and responsibilities?

    • Who runs the tool(s) used to find vulnerabilities?
    • Who is responsible for the remediation of any vulnerabilities that are found?

2. How often will assets be evaluated?

3. How and when are the results being communicated?

4. What are the standard remediation timelines?

5. How are exceptions handled?

6. How is success measured?

7. What metrics will be tracked to make sure the program is working?

    • When are the metrics being reviewed?
    • Who is the owner for each metric?

8. Does the business need to adhere to any special regulations that will impact the program? (PCI, SOX, HIPAA, etc.)

Getting started

Starting a program from scratch may seem like a daunting task, but your security vendors should be ready (Read more...)