Published: 22 June 2017
Summary
Vulnerability management, including vulnerability assessment, represents a proactive layer of enterprise threat defense. VM remains very challenging to many organizations, and this guidance presents a structured approach to VM best practices for technical professionals focused on security.
Included in Full Research
- Vulnerability Defined
- Vulnerability Management and Vulnerability Assessment Defined
- Planning and Scope Definition
- Create and Refine VM Policy
- Define VM Process Scope
- Vulnerability Assessment
- Establish Objectives, Scope and Architecture
- Define the VA Operational Model
- Execute the VA Cycle
- Remediation and Mitigation
- Prioritize Vulnerabilities
- Decide on a Course of Action
- Remediate
- Mitigate
- Define and Manage Exceptions
- Validate Success and Rescan
- Enhance Security Monitoring Where Needed
- Measure VM Activities
- Seek to Eliminate Root Causes
- Vulnerability Management Alone Is Not Enough
- It's Not Possible to Immediately Fix All Identified Vulnerabilities
- There Is No Successful VM Without Effective Communication
- Insufficient Resources Allocated to Remediation Will Cause Vulnerabilities to Accumulate
- Fixing Only "High" and "Critical" Vulnerabilities Is Not Enough
- Broad Exceptions Are Risky
- Mitigation Without Previous Planning Can Be Disastrous
- Related Guidance