Vulnerability Management Program

DomainsStrat PlanningVulnerability MgtRisk MgtIncident Response

malware icon

A cyberattack often occurs from exploiting unpatched software or unhardened network devices; social engineering via phishing bypasses layers of network defenses to gain unauthorized access into a network.  The attack can hinder, impede, or pause productivity at inconvenient times.  The threat of misused information […] and the rising use of technology to improve efficiency, consistently introduces new risks (Rechtman & Rashbaum, 2015 May, 54-57).  ISO/IEC 27000:2018 defines vulnerability as “weakness of an asset or group of assets that can be exploited by one or more threats” (Pollack, 2018 September 20).  A countermeasure is a comprehensive vulnerability management plan (VMP) (a facet of risk management) within the umbrella of an operationalized information security program.  The VMP’s scope should include vulnerabilities inherent to passwords, physical security, IAM and PAM, Internet traffic, network traffic, software, data and access controls.  (Note: An effective and efficient risk management plan and program spans the seven domains of IT infrastructure (e.g. remote access, systems and applications, WAN, LAN to WAN to LAN, LAN, workstations, users)).

Vulnerability Management is a set of processes and technologies that establish and maintain a security configuration baseline to discover, prioritize and mitigate exposures. Effectively managing vulnerabilities is really about patching, updating software, hardening configurations and implementing technical policies on IT assets (Evans, 2017 August 9).  Gartner suggests that known vulnerabilities still comprise 99 percent of all known exploit traffic […] (e.g. malware, ransomware, and exploit kits target vulnerabilities that are six months or older on average) (Evans, 2017 August 9).  A VMP can be planned for, implemented, and managed effectively via three consecutive phases: strategic, tactical, and operational plan.  Improve progress in a spiral path via continual service improvement (borrowed from ITILv3 processes) (IT Info, n.d.).

Strategic Planning

Strategic Plan: Phase I

Vulnerability management helps to identify and evaluate the risks of IT vulnerabilities (Pollack, 2018 September 20).  The strategic plan will be a written high-level plan outlining the objectives of the VMP desired by C-level executives; preparation is supervised by the CSO and endorsed by C-level executives.  To design a strategic plan, expectations of a VMP are key to managing organizational risk and internal control (Unser, 2019 February 2).    A strategic plan that is effective requires C-level executives to agree on its goals, context of assets to secure, followed by how to: discover those assets, assess their gaps in security, remediate gaps, respond to incidents, measure progress of the plan, and enhance its progress.  Progress of the plan can be measured by conducting a special (internal or external) audit at scheduled intervals.

Tactical Plan: Phase II

The tactical plan is written by business unit leaders (e.g. CISO) about the scope used to carry out objectives of the strategic plan; it would be endorsed by the CSO and supported by C-level executives.  The tactics used to conduct the VMP are policies, procedures, technical, administrative tools and processes.  NIST SP 800-30 r1 recommends four core processes: frame, assess, respond, and monitor (NIST, n.d.).  ISACA’s Certified in Risk and Information Systems Controls (CRISC) framework suggests four similar processes.

I.        Frame by Identifying Context of Assets.  Framing vulnerability stems from associating risks inherent to business processes to achieve objectives.  Vulnerability management is a facet of risk management: determine asset value, choose risk mitigation controls, then monitor/assess value of controls in an everyday environment (Murphy, 2015, 194).  The context of assets would include access controls into physical facilities (e.g. physical, administrative, and technical), a clean desk policy, interactive security controls on computers, identity access management, role based access controls, controls to ensure compliance with privacy laws, and mobile device management.  Therefore, a VMP should address access controls, proprietary and generic datasets, security from CSP’s, obtain cybersecurity insurance, procure and distribute security awareness training for employees, vendors and extranet customers, create a written information security plan (WISP), and evaluate data retention policies (Rechtman & Rashbaum, 2015 May, 54-57).  The goal is to include methods to recognize threats, address risks, and create an effective plan of counterattack (Rechtman & Rashbaum, 2015 May, 54-57).

II.         Asset Discovery.  When networks are spread across cloud, virtual, mobile and on-premises environments, blind spots create risks (Bisson, 2017 October 15).  With the context of assets framed, they must be discovered by physical inventory and logically via scanner (e.g. Nessus or Qualys) to eliminate blind spots of asset activity […] which attackers could exploit to conceal their malicious activity (Bisson, 2017 October 15).  The Center for Internet Security’s Critical Security Controls suggests two consecutive approaches to asset discovery, outlined in Appendix C, CIS CSC 1 and 2 (Bisson, 2017 October 15).  Asset discovery should include identification of access controls into facilities, rooms with critical assets, file rooms, firewalls, servers, computers, mobile devices, websites, databases, cloud storage, and IP telephony devices.  It is recommended that all assets discovered are entered into a risk log and categorized, prioritized by criticality to maintain daily operations; the risk log would be signed off by asset owners [as stakeholders], the CSO, COO, and CEO.  A remediation plan and incident response would be aligned to priorities in the risk log and benchmarked near, equal to, or sooner than published standards such as NIST SP 800-30 r1.

III.      Vulnerability Assessment.  A vulnerability assessment is a proactive method to discover latent vulnerabilities before an exploit can inflict negative impact.  The vulnerability assessment has four core phases: 1. Initial assessment. 2. Define system baseline.  3.  Perform the vulnerability scan (or audit).  4. Create the vulnerability report (Gonzalez, 2018 June 8).  Physical and password security would be assessed via a physical and technology audit, respectively.  Internal threats are often presented by individuals who are authorized to access data sets and decide-for a variety of reasons-to misuse the data during or after the access period (Rechtman & Rashbaum, 2015 May, 54-57).  Vulnerability assessments of physical security and logical security are likely to be successful more often if divided among the IT and IAS departments; the CSO oversees report content.  The IT department is likely to maintain vulnerability management of their access controls to critical spaces, devices, and applications if they have control over identifying and remediating their security controls.  A detailed report outlines the scope of the environment, the methodology, and a detailed explanation of the vulnerabilities detected (with evidence collected or gained); it often includes a baseline profile of targets and recommendations for improvement (Unser, 2019 February 2).

Operational Plan: Phase III.  The operational plan is written to carry out the scope of the tactical plan via a defined repeatable process of procedures and activities; it would be prepared by the security team leader, endorsed by the CISO and supported by the CSO.  Objectives are to remediate assessment results, evaluate threat intelligence, coordinate incident response as needed, and measure performance via continual service improvement (CSI) processes (IT Info, n.d.).  CSI reports and recommendations for improvement are forwarded by the security team leader to the CISO for handling and discussion with the CSO.


IV.      Remediation.  Remediation entails consecutive manual procedures that remove vulnerabilities of assets; vulnerabilities change with the threat landscape.  Remediation of assessment and audit results should be aligned with priorities in the risk log and completed near benchmarks of published standards [as noted above].  Evans (2017 August 9) notes that remediation aligns the probability of exploit with impact from attack.  Technical security configuration standards per industry-recognized practices provide implementation details for hardening and specify the recommendations for organizations (Evans, 2017 August 9).  This translates into the correct configuration of software applications for specific industries; configurations may need modification to fit the computing platform of a business.  Remediation activities include closing dormant user accounts and rolling back unused account privileges, hardening of operating systems and software by installing patches, closing unused ports, computing services and processes.  All remediation activities should be evaluated for basic or advanced penetration testing before the vulnerability is considered closed.  For example, the Payment Card Industry Data Security Standard (PCI DSS) mandates vulnerability scanning, reporting and even specific remediation time frames (Evans, 2017 August 9).  Baseline security configurations, staffing, workload, and funding influence the goals achieved from remediation.

TI Report

V.  Threat Intelligence.  Threat Intelligence (TI) is integral to vulnerability management because it can facilitate a proactive approach to avoid or filter external threats when used wisely.  Common objectives are: 1. Prevent, identify, and investigate leaks of intellectual property or other internal data.  2. Reduce the risk of […]customer-data breach.  3. Increase compliance / reduce risk of noncompliance (with related enforcement) by employees, contractors, partners, or suppliers.  4. Reduce expenses from online fraud or cybercrime activity (Dalziel & Dalziel, 2014, 24).  The IAS department should source a subscription to cloud-based threat intelligence for procurement.  It would enable IAS analysts to avoid or filter threats relevant to industries served [by the firm] and the software used.  TI provides advance notice of threats to enable the COO, IT, and IAS departments to secure assets before vulnerabilities are exploited.


VI.  Incident Response.  A prepared incident response procedure is necessary to respond to exploits of residual risk.  Incident response is a trained defined repeatable procedure that contains a cyber incident or attack, restoring skeletal function of the asset.  The attack is fully evaluated in a non-production lab; the asset is later remediated or replaced to restore its normal operational function.  AlienVault (Now AT&T Cybersecurity) suggests the three A’s of incident response: ammunition, attribution, and awareness (AT&T Cybersecurity, n.d.).  Ammunition endeavors to triage each incident correctly.  Attribution learns where the attack comes from and intent.  Awareness trains all employees to identify threats they may be faced with, how to defend themselves, and how to report it to the helpdesk.  The firm’s incident response plan and cyber incident response team (CIRT) should be audited to ensure they meet operating needs when called upon.

VMP lc


Recommendations.  This post has expressed the need for a VMP, a facet to risk management, under the umbrella of an operationalized information security program.  The three-tier triangular design of the plan from strategy, to tactics, to operational plans are clear with hierarchical responsibility (e.g. C-level executives to the security team leader).  The scope of the VMP is aligned to the standards of NIST SP 800-30 r1 and guidelines of ISACA CRISC.  An essential component of any risk management program is the testing of security measures, including the performance of a vulnerability assessment and/or penetration test (Unser, 2019 February 7).  A secure ecosystem is recommended for mobile devices, whether company owned or BYOD; an IAS analyst should qualify 2-3 vendors for evaluation and possible procurement.  A continuous schedule of vulnerability testing can mean the difference between a successful, productive year and catastrophic failure due to data breaches, theft, or loss (Pollack, 2018 September 20).  The next step is to form a steering committee led by a certified business analyst (e.g. ECBA) to elicit the context of assets managed in the VMP.

If you’re attracted to this concept and are interested to discuss details for your enterprise, please click “Request a Consultation” at the base of the Consulting web page; write “VMP” in the subject line and paste the email signature of your executive assistant in the message body.  I reply within 24 hours to schedule an exploratory call that fits into your calendar.  Thanks for your attention.  ###


Rechtman, Y., & Rashbaum, K. N. (2015). Cybersecurity risks to CPA firms: Certified Public Accountant. The CPA Journal, 85(5), 54-57. Retrieved from

Pollack, C. (2018 September 20).  Why Vulnerability Management Is Important for

CPAs, FPA Technology Services, Retrieved from

Evans, B. (2017, August 9).  Assessing Risks and Remediating Threats With a Layered

Approach to Vulnerability Management, SecurityIntelligence,  Retrieved from approach-to-vulnerability-management/

IT Info (No Date). Continual Service Improvement, Information Technology

Infrastructure Library (ITIL) Guide, IT Info, Retrieved from

Unser, J. J. (2019, February 7).  Vulnerability Assessment and Penetration Testing

Improve Security, Marvin and Company, Retrieved from

NIST (No Date).  Guide for Conducting Risk Assessment, NIST Special Publication 800-

30 revision 1, National Institute of Standards and Technology, Retrieved from

Click to access nistspecialpublication800-30r1.pdf

Murphy, G.B. (2015).  SSCP, Official Study Guide, Wiley, Kindle Edition, pp. 194

Bisson, D. (2015 October 15).  The State of Security, What Is Asset Discovery?,, Retrieved from


Gonzalez, K. (2018 June 8).  A Step-By-Step Guide to Vulnerability Assessment,

SecurityIntelligence, Retrieved from

Dalziel, M., & Dalziel, H. (2014). How to define and build an effective cyber threat

intelligence capability : How to understand, justify and implement a new

approach to security. Retrieved from https://ebookcentral-proquest-

AT&T Cybersecurity (No Date).  Chapter Four, Incident Response Tools, AT&T

Cybersecurity, Retrieved from