This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you
would like additional information or assistance with the customization and implementation of a balanced risk management
process for your security program then please contact Mark @ 604-349-6557 or email@example.com
Create an Inventory of assets in scope documenting hardware equipment, operating systems, and
software applications used within the organization to be included in vulnerability management.
Monitor manufacturer’s for vulnerability announcements and patch releases.
Prioritize remediation using a risk management ranking system.
Create a registry of assets requiring remediation.
Test patches before deployment to ensure standardized configurations are unchanged.
Distribute patch installation and testing instructions to local administrators.
Perform automated deployment of patches where possible to remove potential human error.
Use automatic update of applications whenever possible and appropriate.
Verify and validate vulnerability remediation using infrastructure scanning tools.
Train local administrators on how to identify vulnerabilities and install /verify patches.
This following CyberSecurity Briefing concerns the Vulnerability Management Strategy (VMS) created
specifically for CyberSecurity but also used by PCI DSS hence the clause references. This VMS should be
applied by all security professionals and every security program manager. If you manage a security program
you need to be serious about addressing that 75% of known vulnerabilities currently published in the
Common Vulnerability and Exposures database today. I have included a bullet-point list outlining the strategy
steps accompanied by a schedule for added clarity and perspective to what is a fairly intense process. The VM
process is also one of my 11 Essential CyberSecurity processes previously published.
P = Planned