Vulnerability Management Program: Insights From an Auditor

Vulnerability management programs

Vulnerabilities exist within all technology environments. NIST has developed several definitions for vulnerabilities, including a “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” As time passes, software vendors, threat actors, or security researchers, will inevitably find defects or vulnerabilities in the software and technology we use.

When a vulnerability is publicly disclosed, it is assigned a CVE (Common Vulnerabilities and Exposures) number to officially recognize it. A current list of CVE’s is maintained by MITRE and they are also tracked in NIST’s National Vulnerability Database. NIST’s National Vulnerability Database tracked and managed over 19,000 CVEs in 2020 and has currently identified over 9,000 in 2021. Clearly, vulnerabilities affect us all and need to be continuously addressed. Because of this, it’s important that companies establish an effective vulnerability management program to address the risks presented from vulnerabilities.

What is Vulnerability Management?

Wikipedia defines vulnerability management as the “cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating” software vulnerabilities. NIST defines vulnerability management as an (information security continuous monitoring) ‘ISCM capability that identifies vulnerabilities [Common Vulnerabilities and Exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.’


Vulnerability management program 101

What is a Vulnerability Management Program & Why Do You Need One?

If we append the word “program” to the end of vulnerability management, how does that differ from vulnerability management? A skilled program management professional may respond like this: A programis a set of related projects and activities, managed in a coordinated fashion and under a structure that allows for the delivery of outcomes and benefits. The purpose of a program is to tie together related work.” Anyone who has experience with vulnerability management understands the importance of the concept behind this definition of “program.” Vulnerability management performed is a coordinated effort that will require the successful execution of multiple activities and projects.

What are the 4 Main Elements of a Vulnerability Management Process?

The larger an organization is, the more people and processes will need to be involved to ensure vulnerability management is carried out in a proper and effective manner. Although the number of people and processes involved will vary from company to company, the four main elements should include the following:

  • Inventory
  • Identify
  • Report and Prioritize
  • Response


Establishing an inventory for assets

Establishing an Inventory of  IT Assets and Why it’s Important

As the old saying goes, you can’t protect what you can’t see. As noted above, vulnerabilities exist in all forms of technology. If you don’t know what technology you have, there is no way to understand what vulnerabilities exist within your technology ecosystem. It’s imperative that a company understands what technology exists within its environment and maintain an up-to-date record of its assets. The challenges of establishing a complete inventory of technology assets can vary from company to company.

In my experience, financial service institutions seem to have less of a challenge identifying their inventory of IT assets due to stronger internal control environments that come as a result of increased regulatory oversight. Controls such as removing the ability for end-users to install software or make configuration changes to their endpoints drastically reduce opportunities to introduce unknown or unapproved software into the environment. Restricting what devices can connect to a network, or establishing strong procurement practices with respect to hardware or cloud services can also help reduce the risks associated with Shadow IT.

Software development shops on the other hand seem to land on the other end of the spectrum. I typically see developers with administrative access to their endpoints, enabling them to download whatever software they feel they need or make whatever configuration changes they need to perform their jobs. Contractors typically utilize BYOD devices and have unfettered access to the technology environment. Developing a complete inventory of assets in this type of environment can prove to be extremely difficult.

The cloud can make things exponentially more challenging based on the designed ease of standing up resources with little to no effort.  Do you know what assets and technology exist within your cloud environment? Do you know what cloud services exist within your ecosystem? Maintaining a comprehensive inventory of all technology assets is the most critical component of a vulnerability management program.


Identifying vulnerabilities

Identify Vulnerabilities (How Do You Identify Them?)

Once you have established and have confidence in your inventory of assets, it’s time to start looking for vulnerabilities. The most effective method of understanding what vulnerabilities exist within your technology environment is through the use of automated tools. Automated tools or scanners should be used to identify vulnerabilities throughout your entire technology environment. Your automated solutions should have up-to-date feeds that reflect the most current information pertaining to threats or vulnerabilities that are applicable to the technology you are using.

What is a Vulnerability Tool?

Several automated scanners or tools exist on the market to help companies identify vulnerabilities within their applications and environments. Gartner and OWASP have both compiled lists of available tools and solutions.

Automated tools should be configured to run continuously and the scope of the scans should be comprehensive. As noted above, the landscape encompassing current vulnerabilities changes often. As more time passes between scans, the number of unknown vulnerabilities increases too. Continuous scanning reduces the risk of unknown vulnerabilities remaining in your environment for extended periods of time.

Scans should also be comprehensive. Running scans within your on-prem production environment might be a good start, but what about vulnerabilities in your cloud infrastructure or employee endpoints. Identifying vulnerabilities within those environments may be just as important as identifying vulnerabilities in an on-prem production environment. As with all risk mitigation activity, a risk analysis should be performed to understand which environments pose the greatest risk and require scans.


Reporting a prioritization for vulnerability

Reporting & Prioritization

For those who have reviewed vulnerability reports in the past, concluding reports can be intimidating and may require a significant amount of work to review and understand which vulnerabilities require immediate attention. A security practitioner or security team should determine and document action plans or SLAs that govern how the company handles vulnerabilities when they are identified. A vulnerability’s Common Vulnerability Scoring System (CVSS) score is a good reference that should be used to determine the appropriate course of action.

The CVSS is an industry-accepted standard for assessing the severity of technology security vulnerabilities. The CVSS scoring system assigns severity scores to vulnerabilities, giving security practitioners the opportunity to prioritize response activity. Scores are derived based on defined criteria and range from 0 to 10, with 10 rated as the most severe. A company should familiarize themselves with the CVSS scoring system and determine ahead of time how they will react to the different ratings (i.e., Critical, High, Medium, Low, None, etc.).

Response/Remediate – What is the Appropriate Course of Action?

When considering response measures and prioritization, it’s recommended that companies establish a steering committee. The steering committee should represent a cross-functional team that is able to assess the known facts regarding identified vulnerabilities and determine the best course of action. Potential members may include a representative from the platform team, software engineers, site reliability engineers, as well as someone from customer service. All of these individuals will appreciate the opportunity to understand what the vulnerability is and how the recommended remediation plan may affect their respective teams or your clients.

A recommended patch may require a reboot or downtime and pulling input from all involved parties or stakeholders will help ensure all concerns or recommendations are considered and provide all parties with an opportunity to buy in or support the recommended approach. In some cases, a patch may not be readily available, if that is the case, are there other mitigating actions the committee can take to reduce the risk? Ultimately, the committee will need to select one of three options: remediate, mitigate, or accept the risks associated with the identified vulnerability.


Maturity model for vulnerability

Maturity Model – Determining Your Security Maturity

Not all companies or entities are created equal. More mature companies may already have a robust, comprehensive, and continuous vulnerability management program in place. Other companies may just be getting started with their program. Either way, it can be helpful to determine your program’s strength or level of maturity.

SANS has published a vulnerability management maturity model that provides definitions for five separate maturity levels and identifies activities a company should have in place to meet each of the defined levels. A mature company may benefit from reviewing the model to understand how they measure up with the established criteria. A start-up or less mature organization may decide to use the model as a roadmap as they begin the process of establishing its own vulnerability management program.

Outsourcing Vulnerability Management Services: Yes or No?

It seems as though almost anything can be outsourced these days and packaged in an “as a service” offering. Vulnerability management is no different. Vulnerability management as a service offering can provide multiple benefits to a company, including potential cost savings, experience, and expertise. These arguments are the same for all as a service offerings. As companies evaluate the cost of their current vulnerability management program and the experience of their in-house staff, it may be beneficial to perform a cost-benefit analysis and decide if outsourcing is a more favorable option.

As with all outsourcing, it’s important that companies perform their own risk assessment to understand what their own risk and threat landscapes look like before having conversations with third parties. Third-party consultants can provide valuable guidance and direction, but ultimately their goals and objectives will differ from yours and their knowledge of your company is limited. Make an attempt to understand your real needs before looking for outside help.


Vulnerability management programs with SOC 2

How Do Vulnerability Management Programs Work With SOC 2 Reports?

Establishing a vulnerability management program should be considered an essential and foundational component of a company’s security and risk mitigation strategy. A service organization’s ability to demonstrate to their clients that they have an effective vulnerability management program can go a long way in establishing trust and confidence in that entity. A SOC 2 compliance report is an excellent method for a service organization to report on the effectiveness of its internal control environment. Vulnerability scanning is included as a point of focus within the SOC 2 Trust Services Criteria CC7.1:

  • “To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.”

CC7.1’s referenced point of focus:

  • “Conducts Vulnerability Scans—The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis.”


Any company that maintains a digital footprint or utilizes technology to deliver its goods or services cannot ignore the need to establish a vulnerability management program. The majority of data breaches and high-profile security incidents typically start with the exploitation of a known vulnerability. Effectively managing vulnerabilities using a risk-based approach does not provide absolute assurance that a company won’t fall victim to a security incident, but it will help businesses better address the ever-increasing risks and threats to their operations.

If you have questions about the benefits of a vulnerability management program and its applicability to the SOC 2 Trust Services Criteria, please contact our team of auditors at Linford & Co.