vulnerability management

Overview

Vulnerability management is the process of addressing vulnerabilities. Vulnerabilities can be addressed in a number of ways. They can be remediated, mandated, or accepted. A vulnerability management program specifies how to address the vulnerabilities, in what order, and in what timeline.

Why are they asking this?

Vulnerabilities are weaknesses in the system that can allow for exploitation. A good vulnerability management plan can help ensure that the vulnerabilities are addressed before they are exploited.

What do they expect?

A copy of the vulnerability management plan may be requested to show that there is a program. Reports from vulnerability scanners, change requests, or other documents showing that vulnerabilities are being detected and addressed may be requested to show that the plan is being followed and is effective.

Do you have a vulnerability management program that includes: vulnerability identify and remediation, software and firmware patching, and hardware maintenance?
Do you have policies and procedures related to Vulnerability Management that are published, up to date, and available to all applicable personnel?
Is a vulnerability management program in place?
Is there a vulnerability management policy or program that has been approved by management and communicated to appropriate constituents?
Do you have a vulnerability management policy?
Does your vulnerability management program include timely reception of alerts and prompt patching of security vulnerabilities?
Does your company have a vulnerability management program to formally track and remediate security vulnerabilities within defined timelines?