In Closing

Now that you’ve completed measuring your mitigation strategy against the organization's SLAs, you’re able to determine the effectiveness of the organization's risk-based vulnerability management program, including what’s working well and where there are areas for improvement. This is called Continuous Improvement. This knowledge helps you communicate the value of your security program to senior management and other key stakeholders so you can effectively build their confidence in your capabilities, request additional resources, and manage expectations when high-profile cyber attacks draw media attention.

With a specific, quantifiable understanding of how the RBVM program has performed, you’ll also know exactly what adjustments to make in order to optimize your team’s effectiveness and efficiency as you continue to evolve your VM practices to align with a risk-based strategy.

Compliance References

CSF v1.1 References

• ID.RA-1

• ID.RA-5

• PR.IP-12

NIST Special Publication 800-53 Revision 5

• RA-5: Vulnerability Monitoring and Scanning

• RA-7: Risk Response

• SI-2: Flaw Remediation

• SI-2(2): Automated Flaw Remediation Status

NIST Special Publication 800-53 Revision 4

• RA-5: Vulnerability Scanning

• SI-2: Flaw Remediation

• SI-2(2): Automated Flaw Remediation Status

NIST Special Publication 800-171 Revision 2

• 3.11.2: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.