Do you have a vulnerability management policy?

vulnerability management

Vulnerability management is the process of addressing vulnerabilities.  Vulnerabilities can be addressed in a number of ways.  They can be remediated, mandated, or accepted.  A vulnerability management program specifies how to address the vulnerabilities, in what order, and in what timeline.

Why are they asking this?

Vulnerabilities are weaknesses in the system that can allow for exploitation.  A good vulnerability management plan can help ensure that the vulnerabilities are addressed before they are exploited.

What do they expect?

A copy of the vulnerability management plan may be requested to show that there is a program.  Reports from vulnerability scanners, change requests, or other documents showing that vulnerabilities are being detected and addressed may be requested to show that the plan is being followed and is effective.

vulnerability management process

A vulnerability management process defines how to detect, assess, and mitigate or remediate vulnerabilities in a system.

Why are they asking this?

Failure to have a well defined vulnerability management process allows vulnerabilities to go undetected and/or to not be addressed by mitigation or remediation in a timely manner.

What do they expect?

There should be a well defined vulnerability management plan which defines the processes for scanning, assessment/determination of risk, prioritization of mitigations/remediations, and process of mitigation or remediation.  This should include regular vulnerability scanning, and monitoring of threat intelligence that is then matched against a software inventory to determine if there is exposure there.  When a vulnerability is detected, the risks associated with that vulnerability should be determined. This process should include existing mitigations, what is exposed, what is the cost in dollars, reputation, and relationships, and other factors to determine the prioritization of next steps.  Remediation or mitigation plans should be established, prioritized and scheduled.  If the risk is mitigated by other factors or the cost of a breach is below the cost to fix the vulnerability it may be acceptable to accept the risk and not remediate it, but this should be a last resort.