Vulnerability Management Life Cycle

The Vulnerability Management Life Cycle is intended to allow organizations to identify computer system security weaknesses; prioritize assets; assess, report, and remediate the weaknesses; and verify that they have been eliminated.

In computer security, a vulnerability is a security flaw or weakness that allows an intruder to reduce a system’s information assurance. A vulnerability requires three elements: a system weakness, an intruder’s access to the weakness, and the intruder’s ability to exploit the weakness using a tool or technique.

Steps in the Vulnerability Management Life Cycle

The following diagram illustrates the steps in the Vulnerability Management Life Cycle.

The steps in the Vulnerability Management Life Cycle are described below.

1. Discover: Inventory all assets across the network and identify host details including operating system and open services to identify vulnerabilities. Develop a network baseline. Identify security vulnerabilities on a regular automated schedule.
2. Prioritize Assets: Categorize assets into groups or business units, and assign a business value to asset groups based on their criticality to your business operation.
3. Assess: Determine a baseline risk profile so you can eliminate risks based on asset criticality, vulnerability threat, and asset classification.
4. Report: Measure the level of business risk associated with your assets according to your security policies. Document a security plan, monitor suspicious activity, and describe known vulnerabilities.
5. Remediate: Prioritize and fix vulnerabilities in order according to business risk. Establish controls and demonstrate progress.
6. Verify: Verify that threats have been eliminated through follow-up audits.