Manage vulnerability assessment activities
Overview
This standard is about managing vulnerability assessment activities.
This involves developing and delivering a comprehensive vulnerability management capability.
It includes defining effective strategies, policies and procedures for identifying, reporting and mitigating vulnerabilities impacting the organisation. It also includes identifying and recommending measures to manage and remediate vulnerabilities, establishing a vulnerability toolset to scan and report findings, and providing metrics and reporting on system vulnerabilities, patch management status, and trend analysis for management stakeholders.
This standard is for those who need to manage vulnerability assessment activities as part of their duties.
Performance criteria
You must be able to:
Create, implement and maintain vulnerability management policies and procedures in line with organisational standards
Define the organisational vulnerability scanning infrastructure, tools and techniques to deliver vulnerability assessments
Specify organisational hardening policies to minimise operating system vulnerabilities
Lead the identification of new processes to improve vulnerability assessments
Implement training and development plans for all vulnerability assessment staff to maintain required capabilities
Lead vulnerability assessment and patch management capabilities to determine the security posture of the target system
Manage the master patch record and ensure all technology stacks are patched regularly to ensure vulnerabilities are proactively handled
Develop metrics to provide status updates on vulnerability management activities
Track progress of vulnerability remediation activities through formal change processes to verify closure
Produce and communicate vulnerability reports to inform stakeholders on capabilities, trends and performance metrics
Knowledge and Understanding
You need to know and understand:
- How to design and implement an organisational vulnerability management strategy
- That vulnerability management is an essential component of an information security management system
That the regular identification and mitigation of vulnerabilities is a key element of risk governance
How to take responsibility for the budgetary control process for vulnerability management activities
- That the vulnerability assessment policy defines who can perform vulnerability assessments and how often they should occur
- The process of vulnerability assessment provides visibility of vulnerabilities and mitigations across an organisation's information systems
How to manage vulnerability management capabilities to deliver organisational requirements
How to analyse complex vulnerability problems
- How to manage and resolve mitigations for complex vulnerabilities
- The steps involved in infrastructure configuration hardening informed through vulnerability assessment
- The importance of identifying and reviewing new tools and techniques to improve vulnerability assessment capabilities
- The importance of providing ongoing training and guidance to all vulnerability assessment employees
- The use of automated tools to support improvements to efficiency and effectiveness of vulnerability assessment activities
- How to measure the effectiveness of vulnerability management through reporting and metrics