Vulnerability management is a proactive approach to identifying and closing vulnerabilities through ongoing processes of security scanning, auditing, and remediation. It aims to stay ahead of constantly changing threats by maintaining an inventory of known vulnerabilities and prioritizing remediation. In addition to technical vulnerabilities, poor internal processes around user access management, patching, and configuration can also pose risks, so these operational activities should be regularly assessed and improved. Once gaps have been addressed through effective vulnerability management over time, penetration testing can further test security and provide assurance.

1. Vulnerability Management

2. Vulnerability management
Vulnerability management is a proactive
approach to identifying and closing down Inventory
vulnerabilities.
It uses similar methods to penetration testing
with the objective being to identifying all Verify Prioritise
known vulnerabilities, either visible to the
outside world, or visible internally to the
organisation. Ongoing
Process
Threats to a companies security changes on
a daily basis. Vulnerability management is
Action Assess
an ongoing programme of security
scanning, security auditing and remediation
allowing you to stay one step ahead.
Report
Prevention is cheaper than cure.

3. Don’t neglect the processes
Security vulnerabilities can also be caused
by poor internal processes, for example:
• poor user access management
(joiners, movers, leavers)
• poor patch management
• lack of robust configuration
management
• uncontrolled changes and a host of
other operational IT activities.
These are often easy to fix and will result
in a significant improvement of your
‘security posture’.

4. When to consider penetration testing
Reduction in vulnerabilities over
time as a result of effective
vulnerability management.
Number of known vulnerabilities
Once vulnerability gaps have
been addressed, a penetration
test can be used to provide
Continue with
assurance that all serious security
vulnerability management
gaps have been resolved.
to address new
vulnerabilities as they arise

5. Our services
• Vulnerability scanning and penetration
testing services – through our strategic
partnership with RandomStorm, we can
provide technical vulnerability scanning and
penetration testing services at a competitive
price.
• We can provide you with complementary
security services, from coordinating
scanning and penetration testing activities
on your behalf, performing security process
reviews and technical security
audits, providing prioritisation and decision-
making support, through to managing the
end-to-end vulnerability remediation
programme
• We can help you design and implement
your security vulnerability management
programme

6. About us
CS Risk Management & Compliance is a consultancy company specialising in helping
organisations achieve compliance with standards such as PCI:DSS and ISO27001, as
well as adherence to legislation such as the Data Protection Act.
With experience in multiple business sectors such as financial, telecoms and service
industries, our consultants have the in-depth understanding of IT systems to help
translate standards and legislation and introduce practical, workable changes to meet
them, all with little disruption to your daily operations.
At CS Risk Management & Compliance it is essential to us that we stay abreast of all
the latest developments in the IT industry and that we have the knowledge to deliver the
best service. Continuous professional development is essential for our consultants and
this has lead to them holding many industry recognised qualifications such as ISC2’s
Certified Information Systems Security Professional, Certified Information Systems
Manager and Certified Information Systems Auditor , the Business Continuity Institute’s
professional certifications, and BSI’s ISO27001 Lead Implementer and Lead Auditor.

7. About RandomStorm
Based in the UK, RandomStorm has developed a range of on demand scanning
services to meet the security requirements for any size organisation without the need for
additional infrastructure investment. With over 30 years combined professional
experience in IT security technology the company offers a comprehensive range of
scanning, monitoring, alerting and remediation consultancy services exclusively through
its network of specialist security partners.
RandomStorm’s services are underpinned by a team of highly qualified vulnerability and
penetration testing engineers including Certified Ethical Hackers (CEH) and the highest
security industry certifications, with individual skill levels verified under the TIGER
Scheme, the security industry’s independent standards watch-dog.
Key areas of expertise include ethical hacking, network security testing, application
security testing and web application testing
www.RandomStorm.co.uk