Technical Vulnerability Management Practices
Cybersecurity Vulnerability & Patch Management Documentation
Once again, our customers spoke and we listened - our customers needed documentation on how they could prove they have a "vulnerability management program" in place. Similar to the other cybersecurity documentation we sell, many of our customers tried and failed to create their own program-level documentation. It is not uncommon for organizations to spent hundreds of man-hours on this type of documentation effort and only have it end in failure. That is why we are very excited about this product, since it fills a void at most organizations, both large and small.
The VPMP can serve as the cornerstone in your organization's technical vulnerability management program. It can stand alone or be paired with other specialized products we offer.
The Vulnerability & Patch Management Program (VPMP) is framework-independent (e.g., ISO, NIST, COBIT, etc.) and was designed to integrate with our Written Information Security Program (WISP) and Risk Management Program (RMP) documentation - this allows you to have policies, standards and procedures that work together to create a holistic and comprehensive cybersecurity program!
The VPMP was one of the most challenging documents we've developed over the last decade. The reason for this is the need to address and unify various components that are complex on their own - patching systems, vulnerability scanning, remediation activities and penetration testing. What this program-level document establishes is the framework to provide direction to and govern those functions, regardless of who is actually doing the work. Depending on the makeup of the organization, it can be pure IT, cybersecurity personnel, outsourced staffing or a combination of all. Given the cost associated with the effort to create a documented vulnerability management program from scratch, the VPMP priced to be affordable to all organizations.
What Is The Vulnerability & Patch Management Program (VPMP)?
The VPMP is an editable Microsoft Word document that providers program-level guidance to directly supports your company's policies and standards for managing vulnerabilities. This product addresses the “how?” questions for how your company manages technical vulnerabilities and patch management operations. Answering how vulnerabilities are managed is one of the most common deficiencies in audits, so this product fills a very crucial gap in most cybersecurity programs. The VPMP addresses fundamental needs when it comes to reasonably-expected vulnerability management requirements:
- Who is responsible for managing vulnerabilities.
- What is in scope for patching and vulnerability management.
- Defines the vulnerability management methodology.
- Defines timelines for conducting patch management operations.
- Considerations for assessing risk with vulnerability management.
- Vulnerability scanning and penetration testing guidance.
- Information Assurance (IA) guidance to support secure engineering activities.
What Problem Does The VPMP Solve?
- Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. It is not uncommon for organizations to spent hundreds of man-hours on this type of documentation effort and only have it end in failure.
- Compliance Requirements - Nearly every organization, regardless of industry, is required to have formally-documented security policies and standards. Requirements range from PCI DSS to HIPAA to NIST 800-171. The WISP is designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements. The WISP maps to several leading compliance frameworks so you can clearly see what is required!
- Audit Failures - Similar to risk management, most organizations run into trouble in audits when asked HOW vulnerabilities and patches are managed, since they cannot provide documentation beyond policies and standards. The VPMP addresses the HOW for you!
- Vendor Requirements - Requirements such as PCI DSS, MA 201 CMR 17.00 and NIST 800-171 establish a mandate to formally manage vulnerabilities. The VPMP addresses these compliance requirements!
How Does the VPMP Solve It?
- Clear Documentation - The VPMP provides the comprehensive documentation to prove that your vulnerability and patch management program exists.
- Time Savings - The VPMP provides actionable guidance on what steps can be taken to proactively address risk and keep systems patched in a sustainable manner.
- Alignment With Leading Practices - The VPMP is written to support leading practices for patching, vulnerability scanning, penetration testing and vulnerability remediation.
Product Example - Vulnerability & Patch Management Program (VPMP)
Our customers choose the Vulnerability & Patch Management Program (VPMP) because they:
- Need a comprehensive approach to manage technical vulnerabilities
- Need to be able to edit the document to their specific needs
- Have documentation that is directly linked to best practices, laws and regulations
- Need an affordable solution
Don't take our word for it - take a look at the example below to see for yourself the level of professionalism and detail that went into it.
Cost Savings Estimate - Vulnerability & Patch Management Program (VPMP)
The process of writing cybersecurity policies and standards can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time.This also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months.
When you look at the costs associated with either hiring a consultant to write cybersecurity documentation for you or tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Purchasing the VPMP offers these clear advantages:
- Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars!
- Compared to writing your own documentation, you can potentially save hundreds of man-hours and the associated cost of lost productivity.
- Orders are usually processed the same business day so you get your documentation quickly!
When you factor in approximately 80+ hours of a cybersecurity consultant and the internal staff time to perform reviews and refinements with key stakeholders, purchasing a VPMP from ComplianceForge is approximately 6% ($22,500+ savings) of the cost as compared to hiring a consultant to write it for you!
When you factor in 150+ hours of internal staff time to research, write and peer review cybersecurity documentation, purchasing a VPMP from ComplianceForge is approximately 12% ($9,500+ savings) of the cost as compared to writing your own documentation!
Who Typically Buys This Product?
In no order of preference, these are the most common buyers for the VPMP:
- A new contract/regulation specifically calls out a vulnerability management capability and the vendor can't meet that requirement (e.g., NIST 800-171);
- A company is going to get audited soon by an external party and is scrambling for documentation its staff can easily implement;
- A company just failed an external audit and its staff is scrambling to implement a program to make up for the deficiency in the audit;
- Recent leadership changes uncovered internal program weaknesses that need to be remediated;
- An annual internal review of IT General Controls (ITGC) pointed to deficient processes within vulnerability management; and
- A risk assessment identified remediation efforts as deficient and the issue needs to be remediated to remove it from the risk register.
Why You Need A Documented Vulnerability & Patch Management Program!
The following statutory, regulatory and contractual sources specifically have requirements surrounding patching, vulnerability remediation, vulnerability scanning and penetration testing:
Vulnerability Management - Including Patch / Flaw Management
- NIST 800-53 rev 4 - SI-2 & SA-11
- NIST 800-171 - 3.14.1, 3.14.2 & 3.14.3
- PCI DSS - 6.1, 6.2 & 6.6
- ISO 27002 - 12.6.1 & 16.1.3
- NIST Cybersecurity Framework - ID.RA-1 & PR.IP-12
- CIS Critical Security Controls - 4.5, 4.7 & 16.6
- MA 201 CMR 17.00 - 17.04(6)
- OR 646A - 622(2)(d)(B)(iii)
Vulnerability Remediation Processes
- NIST 800-53 rev 4 - PM-04
- NIST 800-171 - 3.11.3 & 3.12.2
- ISO 27002 - 12.6.1
- NIST Cybersecurity Framework - ID.RA-6
- CIS Critical Security Controls - 4.7, 4.8 & 18.1
- MA 201 CMR 17.00 - 17.03(2)(j)
- OR 646A - 622(2)(d)(B)(iii)
- CIS Critical Security Controls - 18.1
- NIST 800-53 rev 4 - RA-5
- NIST 800-171 - 3.11.2
- PCI DSS - 11.2
- ISO 27002 - 12.6.1 & 18.2.3
- HIPAA - 164.308(a)(1)(ii)(A)
- NIST Cybersecurity Framework - ID.RA-1, PR.IP-12, DE.CM-8, DE.DP-4, DE.DP-5, RS.CO-3 & RS.MI-3
- CIS Critical Security Controls - 4.1-4.8 & 15.2
- OR 646A - 622(2)(B)(iii) & 622(2)(d(A)(iii)
- NIST 800-53 rev 4 - CA-8
- NIST 800-171 - 3.12.1
- PCI DSS - 11.3-11.3.3
- NIST Cybersecurity Framework - ID.RA-1
- CIS Critical Security Controls - 20.1-20.8
Which Product Is Right For You?
Our documentation is meant to address your requirements from strategic concepts all the way down to day-to-day deliverables you need to demonstrate compliance with common statutory, regulatory and contractual obligations. We offer up to 40% discounts on our documentation bundles, so please be aware that you have benefit from significant savings by bundling the documentation you need. You can see the available bundles here.
We are here to help make comprehensive cybersecurity documentation as easy and as affordable as possible. We serve businesses of all sizes, from the Fortune 500 all the way down to small businesses, since our cybersecurity documentation products are designed to scale for organizations of any size or level of complexity. Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident response, risk management or vulnerability management program documents. Our focus is on helping you become audit ready!