Gartner Research

Vulnerability Management

Published: 30 March 2012

ID: G00226986

Analyst(s): Eric Maiwald , Anton Chuvakin


Organizations can improve their overall security posture by implementing a systematic approach to managing vulnerabilities and configuration weaknesses across IT assets. Managing policies and vulnerabilities encompasses maintaining an inventory of covered resources, comparing the configuration and current state to policy, assessing risk level and implementing appropriate remediation techniques such as patching and configuration changes. Vulnerability assessment tools play a critical role in these vulnerability management practices. Comprehensive vulnerability management requires a blend of policy, process and technology.

Table Of Contents

Decision Point

Decision Context

  • Architectural Context
  • Related Decisions

Evaluation Criteria

  • Complying With Legal and Regulatory Requirements
  • Reducing Risk by Eliminating Software Vulnerabilities That Can Be Exploited
  • Mapping Organizational Policy to Technical Security Policy
  • Monitoring Vulnerability Disclosure Information
  • Prioritizing Assets and Vulnerabilities
  • Discovering and Managing Assets
  • Verifying and Validating Vulnerabilities on the Resource Layer
  • Managing Remediation
  • Achieving Separation of Duties
  • Reporting
  • Principles


  • Topology of Vulnerability Management Components
  • Assessment, Monitoring and Feedback
  • Vulnerability Assessment
  • Vulnerability Information Monitoring
  • Asset Value and Remediation Prioritization
  • Workflow and Trouble Ticketing
  • Safety Testing
  • Remediation

Future Developments

Decision Tool

Decision Justification

  • Topology of VA/SCA Components Position
    • Place Vulnerability/Technical Security Policy Servers in the Control Zone
  • Audit/Monitoring/Feedback Position
    • Verification of Host Configurations Position
    • Verification of Network Security Device Configurations Position
  • Vulnerability Assessment Position
    • Scanning Method Position
    • Frequency of Scanning Position
  • Vulnerability Information Monitoring Position
    • Monitor Internal and Multiple External Information Sources
    • Use a Consolidated External Information Source for Vulnerability Information Monitoring
    • Use Multiple External Sources for Vulnerability Information
  • Remediation Prioritization Position
    • Relative Asset Importance Position
    • Remediation Prioritization Position
  • Workflow and Trouble-Ticketing Integration Position
    • Couple the VA Tools With the Enterprise Workflow System
    • Deploy a Dedicated Workflow System to Manage Vulnerabilities
  • Safety Testing Position
    • Testing Remediation on Servers and in Production Server Applications Position
    • Testing Remediation for Client Devices Position
  • Remediation Position
    • Use an Automated Mechanism for Vulnerability Remediation
    • Use a Manual Process

Recommended Reading

Revision History

©2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client

Learn how to access this content as a Gartner client.