Vulnerability & Patch Management Program (VPMP)
Microsoft Word Template - Vulnerability & Patch Management Program
Once again, our customers spoke and we listened - our customers needed documentation on how they could prove they have a "vulnerability management program" in place. Similar to the other cybersecurity documentation we sell, many of our customers tried and failed to create their own program-level documentation. However, this is what we've found to be the most difficult for companies to get right. It is not uncommon to have hundreds of man-hours spent on this type of documentation effort and only have it end in failure. That is why we are very excited about this product, since it fills a void at most organizations, both large and small.
The Vulnerability & Patch Management Program (VPMP) is framework-independent (e.g., ISO, NIST, COBIT, etc.) and was designed to integrate with our Written Information Security Program (WISP) and Risk Management Program (RMP) documentation - this allows you to have policies, standards and procedures that work together to create a holistic and comprehensive cybersecurity program!
Interestingly, the VPMP was one of the most challenging documents we've developed over the last decade. The reason for this is the need to address and unify various components that are complex on their own - patching systems, vulnerability scanning, remediation activities and penetration testing. What this program-level document establishes is the framework to provide direction to and govern those functions, regardless of who is actually doing the work. Depending on the makeup of the organization, it can be pure IT, cybersecurity personnel, outsourced staffing or a combination of all. Given the cost associated with the effort to create a documented vulnerability management program from scratch, the VPMP priced to be affordable to all organizations.
Since all organizations are unique, the VPMP is a Microsoft Word document and this provides you with the ability to edit the documentation to the specific needs of your organization.
Click here to see an example
Who Buys This Type of Documentation?
Interestingly, we've found considerable demand for this kind of vulnerability management program documentation. In no order of preference, these are the buyers for the VPMP:
- A new contract/regulation specifically calls out a vulnerability management capability and the vendor can't meet that requirement (e.g., NIST 800-171);
- A company is going to get audited soon by an external party and is scrambling for documentation its staff can easily implement;
- A company just failed an external audit and its staff is scrambling to implement a program to make up for the deficiency in the audit;
- Recent leadership changes uncovered internal program weaknesses that need to be remediated;
- An annual internal review of IT General Controls (ITGC) pointed to deficient processes within vulnerability management; and
- A risk assessment identified remediation efforts as deficient and the issue needs to be remediated to remove it from the risk register.
VPMP Cost Savings
As you can see, when you factor in internal staff time to perform reviews and refinements with key stakeholders, purchasing a VPMP from ComplianceForge is approximately 10% ($10,000+ savings) of the cost as compared to writing your own documentation and 5% ($22,500+ savings) of the cost as compared to hiring a consultant to write it for you!
Our Risk Management Program (RMP) is a fraction of the cost, as compared to developing it yourself or hiring a consultant to write it for you:
Why You Need A Documented Vulnerability & Patch Management Program!
The following statutory, regulatory and contractual sources specifically have requirements surrounding patching, vulnerability remediation, vulnerability scanning and penetration testing:
Vulnerability Management - Including Patch / Flaw Management
- NIST 800-53 rev 4 - SI-2 & SA-11
- NIST 800-171 - 3.14.1, 3.14.2 & 3.14.3
- PCI DSS - 6.1, 6.2 & 6.6
- ISO 27002 - 12.6.1 & 16.1.3
- NIST Cybersecurity Framework - ID.RA-1 & PR.IP-12
- CIS Critical Security Controls - 4.5, 4.7 & 16.6
- MA 201 CMR 17.00 - 17.04(6)
- OR 646A - 622(2)(d)(B)(iii)
Vulnerability Remediation Processes
- NIST 800-53 rev 4 - PM-04
- NIST 800-171 - 3.11.3 & 3.12.2
- ISO 27002 - 12.6.1
- NIST Cybersecurity Framework - ID.RA-6
- CIS Critical Security Controls - 4.7, 4.8 & 18.1
- MA 201 CMR 17.00 - 17.03(2)(j)
- OR 646A - 622(2)(d)(B)(iii)
- CIS Critical Security Controls - 18.1
- NIST 800-53 rev 4 - RA-5
- NIST 800-171 - 3.11.2
- PCI DSS - 11.2
- ISO 27002 - 12.6.1 & 18.2.3
- HIPAA - 164.308(a)(1)(ii)(A)
- NIST Cybersecurity Framework - ID.RA-1, PR.IP-12, DE.CM-8, DE.DP-4, DE.DP-5, RS.CO-3 & RS.MI-3
- CIS Critical Security Controls - 4.1-4.8 & 15.2
- OR 646A - 622(2)(B)(iii) & 622(2)(d(A)(iii)
- NIST 800-53 rev 4 - CA-8
- NIST 800-171 - 3.12.1
- PCI DSS - 11.3-11.3.3
- NIST Cybersecurity Framework - ID.RA-1
- CIS Critical Security Controls - 20.1-20.8
Example Vulnerability & Patch Management Program Template
Don't take our word for it - take a look at the example VPMP to see for yourself the level of professionalism and detail that went into it.