Vulnerability Risk Mitigation Tool (VRMT)

Vulnerability Risk Mitigation Tool (VRMT): Implementing the Company Security Policy

VRMT is a tool to manage vulnerability records in accordance with a set company security policy. In effect, the company policy sets criteria for each individual vulnerability about whether it is regarded important for remediation.

The goal of the tool is to apply corporate IT security and asset policies to incoming vulnerability alerts before they are handed down to the organizational structure, that is, the business division and the functional scope .g. Linux system lines, for which it is in control of and ultimately needs to assure proper functioning

people responsible to decide on whether and when a fix needs to be applied.

But how does the tool know who in the organization is responsible for what vulnerability? More, which networks, systems and applications are impacted? Which one of them are critical to run the day-to-day business, to preserve precious corporate assets like customer data, supplier data or, for instance, R&D developments?

Here, the tool needs to learn several aspects about the company it is operating for. At its core, VRMT needs to know how the company is set up from a personnel and IT assets point of view. To a greater extend, VRMT needs react quickly since timeliness is the critical factor to effectively ward off adverse affects of lingering threats.

To this end, VRMT is fed with the following information to quickly channel the right information to the right place:

• Organizational Structure with regards to vulnerabilities: what team is in charge of what threat type and needs to be informed (Responsibility) and what Business Division do these teams belong to (Accountability).
• IT Systems Map: which IT environment has what degree of impact to the overall well-being of the company and, hence, needs to be guarded carefully against attacks or leaks.

Both components together form the VRMT Operating Model.

When done, the information of the Operating Model constitutes an important part of the company's security policy that is relevant for managing IT vulnerabilities. VRMT reflects that policy and leverages it to attribute systems with adequate priorities and distribute alerts to the right people.

Keep VRMT Operating Model Up-To-Date

Customer requirements are capricious, markets are volatile, and so are changes within companies. To stay up-to-date despite of frequent changes, the VRMT Operating Model needs to be maintained on a regular basis. In most cases this task is up the the Data Steward or any comparable role that is charged with utilizing an organization's data governance processes to ensure fitness of data elements - both the content and metadata.

Before such alerts can be distributed to the correct contacts within the organization, they need to be enhanced with an array of attributes such as system impact, risk type, etc. This task is carried out by the process preparations staff who will primarily use the Rule Engine's tools to add valuable corporate information to incoming alert files.

Minimize the Time Lag between Discovery and Patching

VRMT has been designed with automation in mind. As the main challenge of vulnerability management is to rapidly categorize and prioritize from a vast amount of line item files the app helps to greatly simplify this critical process. It thus minimizes the time between detecting a vulnerability, prioritizing and assessing it and ultimately routing it towards a proper patching method.

Besides gaining a completely transparent process, the maxim of time reduction between detection and patch application is reduced to a minimum.

To increase general usability this manual’s content is structured in chapters that are especially geared towards a so-called Technical System Owner (TSO). This function is charge of a special set of coordination and maintenance tasks that need to be performed in the system to arrange for down-stream transactions. The relevant chapters are:

• Vulnerability
• Notes
• Reporting

The remainder of the manual is geared towards process preparations staff. The relevant chapters are:

• Rule Engine
• User Management
• Responsibility
• Accountability

Disclaimer: While the manual emphasizes pure process functions it does not confer any information or guidance on the assessment of vulnerabilities as such nor does it detail whether and to what extent valuation parameters should be set. Apparently, this task needs to be undertaken by an appropriate work group or subject matter experts guided by internal company policy or work instructions.

updated on: 5/9/2019 ⏐updated by: Wolfgang Stoettner ⏐ v1.0.1