Vulnerability Management Program
The National Institute of Standards and Technology (NIST) has a document especially useful to anyone writing their vulnerability management policy. It’s Special Publication 800-40, Creating a Patch and Vulnerability Management Program. You can find it here.
Here’s an excerpt:
Organizations need to create a comprehensive, documented, and accountable process for identifying and addressing vulnerabilities, patches, and threats within an organization. One possible approach is to have a formal, centralized patch and vulnerability group that supports the security efforts of local system administrators.
Specific recommendations for organizations implementing a patch and vulnerability management program are as follows:
- Create an inventory of all information technology assets.
- Create a patch and vulnerability group.
- Continuously monitor for vulnerabilities, remediations, and threats.
- Prioritize patch application and use phased deployments as appropriate.
- Test patches before deployment.
- Deploy enterprise-wide automated patching solutions.
- Create a remediation database (this is often included within enterprise patch management tools).
- Use automatically updating applications as appropriate.
- Verify that vulnerabilities have been remediated.
- Train applicable staff on vulnerability monitoring and remediation techniques.
An archive copy of the document is here: Vulnerability Management Program