UnixTime

Research Note

Vulnerability Management Procedure

Use this procedure to define how the organization identifies, evaluates, treats, retests, and reports technical vulnerabilities.

On this page

When to use this

Use this procedure to define how the organization identifies, evaluates, treats, retests, and reports technical vulnerabilities.

Procedure outline

Step Owner Evidence
Maintain asset and scan scope TBD Asset/scanning scope
Monitor vulnerability sources TBD Source list / advisories
Run scans or tests TBD Scan/test reports
Risk-rate findings TBD Risk rating / tracker
Select treatment TBD Patch / mitigation / exception
Test and deploy patch TBD Change record
Retest TBD Retest report
Report metrics TBD Dashboard/report

Minimum checks

  • Vulnerability sources are defined.
  • Scan scope covers relevant systems.
  • Severity and exposure criteria are defined.
  • Remediation timelines are defined.
  • Patch testing and rollback are defined.
  • Exceptions require risk acceptance.
  • Retesting is required before closure.