The path is starting to get steeper now as we climb to ML2. It is time to start defining a
vulnerability management program with objectives and goals. This program is expected to grow and evolve over time as the organization grows and evolves.Document the requirementsStart by documenting what is in place now and what objections the organization is trying to reach.Define the stakeholdersThe stakeholders should come from multiple departments within the organization. For example, you will need buy-in from:ITExecutive and Senior managementLegalSecurity and/or Compliance teamsCritical service and system ownersObtain business priority endorsementFor the program to be successful, senior management must endorse and fund it as a business priority. There will be personnel and budget costs to implement and run the program, so these resources need to be allocated. If the program is not a well-funded priority for the organization, the likelihood of failure is high.Questions to askThe
vulnerability management process should start by answering some basic questions:1. What are the roles and responsibilities?Who runs the tool(s) used to find vulnerabilities?Who is responsible for the remediation of any vulnerabilities that are found?2. How often will assets be evaluated?3. How and when are the results being communicated?4. What are the standard remediation timelines?5. How are exceptions handled?6. How is success measured?7. What metrics will be tracked to make sure the program is working?When are the metrics being reviewed?Who is the owner for each metric?8. Does the business need to adhere to any special regulations that will impact the program? (
PCI, SOX,
climbing
vulnerability
management
mountain
reaching
maturity
level
