1 Introduction / Executive Summary

Let's define vulnerability before diving into Vulnerability Management. In essence, software vulnerabilities are weaknesses or flaws in an organization’s IT infrastructure that a cyber adversary can exploit to gain greater access or privilege than is authorized. A system's security procedures, internal controls, or applications can be the source of these vulnerabilities. Moreover, a cyberattack or data breach can also be enabled by attack vectors such as unpatched or badly configured software.

Keeping systems and networks secure can be extremely complex and overwhelming. As businesses and organizations continue to grow in size and scope, many struggle to collect and maintain an accurate inventory of all known systems and devices across the organization. Consequently, in order to reduce attack surfaces, organizations need to understand that all network infrastructures, software programs, devices, and applications internally and on the Internet are at risk of cyberattacks.

Increasingly sophisticated and widespread cyberattacks continue to disrupt businesses and organizations already affected by the COVID-19 pandemic, geopolitical tensions, and a global supply-chain crisis. The ability to foster a strong cybersecurity foundation while implementing a vulnerability management plan is vital given the ever-changing threat landscape. Neglecting cybersecurity risks such as software vulnerabilities could have significant security and regulatory repercussions.

Therefore, an organization’s overall IT risk management should include a continuous process for detecting and managing software vulnerabilities. By securing coding practices, implementing vulnerability scanning and management, and consolidating security functions into fewer products, organizations will be able to significantly reduce attack surfaces. The best way to mitigate potential threats is to proactively close security gaps before they are exploited. That is where Vulnerability Management (VM) plays a key role.

Vulnerability Management is a security practice that focuses on the process by which organizations identify, analyze, manage, and prevent the exploitation of IT vulnerabilities. VM is a major component in planning for and determining the appropriate measures and management of risks. If implemented successfully, a VM program has the potential to increase the overall security of the organization and prevent threat actors from exploiting vulnerabilities.

While a vulnerability management plan with rules and guidelines is required to define a VM strategy, it is also important to gather input and support from all stakeholders to be able to implement it. Vulnerability management is about taking a step back and introducing a regular process to identify, assess, report, manage, and remediate vulnerabilities across attack surfaces.

By doing so, your organization will improve security practices, enhance your stakeholder relationship, and protect your organization from fines and penalties resulting from regulatory non-compliance –thus saving money and keeping your reputation intact. This Advisory Note will provide guidance on constructing a vulnerability management program and testing its effectiveness.

Furthermore, it will give an overview of the VM process that organizations should consider implementing and describe the steps that an organization needs to take to respond effectively to newly discovered vulnerabilities.