Document title: Project Plan Project name: Vulnerability

Management
Version: 1.0
Issue date: 11/10/17

Project Plan

Client: Organization A

Project Name: Vulnerability Management

Project Manager: N/A

Synopsis: This is the initial draft for Enterprise wide Vulnerability

Management program.

Version: V1.0

Issue Date: 11/10/2017

Distribution: N/A

Prepared by: Pruthvi K

Authorized by: <Title / Name>N/A.

<Title / Name>N/A.

Page i
Document title: Project Plan Project name: Vulnerability
Management
Version: 1.0
Issue date: 11/10/17

Amendment History
Version Issue Date Changes
V1.0 11/10/201> Initial version.

Page ii
Document title: Project Plan Project name: Vulnerability
Management
Version: 1.0
Issue date: 11/10/17
Table of Contents
1 INTRODUCTION...................................................................................................................... 1
1.1 VULNERABILITY MANAGEMENT AND ITS IMPORTANCE............................................................1
2 SCOPE OF THE PROJECT..................................................................................................... 2
2.1 MAINTAINING AN ASSET INVENTORY.....................................................................................2
2.2 ASSESSING RISK LEVEL OF ASSETS AND VULNERABILITIES.......................................................2
2.3 PERFORMING VULNERABILITY ASSESSMENTS........................................................................3
2.4 TRACKING REMEDIATION AND REPORT STATUS......................................................................3
3 SCANNER SELECTION PROCESS........................................................................................ 4
4 ROLES AND RESPONSIBILITIES.......................................................................................... 5
5 COMMUNICATIONS PLAN................................................................................................... 6
6 Step-by-Step process.................................................................................................................. 7

Page iii
Document title: Project Plan Project name: Vulnerability
Management
Version: 1.0
Issue date: 11/10/17

1 Introduction

Information Technology environments are complex systems comprised of hardware,

software operating systems and platforms, applications, services, and the people who
interact with all of the above to get their jobs done. Vulnerabilities can exist anywhere in
environment, and managing vulnerabilities is a non-trivial task. At its simplest,
vulnerability management (VM) is a matter of applying security patches as they become
available. But robust VM is about more than patching it is about defining the risk
posture and policies for an organization, creating a complete asset list of systems,
applications, and services, scanning and assessing the environment for vulnerabilities and
exposures, and then taking action to mitigate or accept those vulnerabilities. One way to
mitigate a vulnerability is to patch it, but there arent always patches available and even
when there are, it isnt always possible to apply them. Another issue is that most networks
are continually evolving; introducing new services and applications can impact the
vulnerability profile of the system as a whole. Vulnerability Management becomes even
more important with ongoing organizational change management, ticketing, validation
and multiple mitigation types.

1.1 Vulnerability Management and its Importance

Unfortunately, new software vulnerabilities are discovered on a daily basis. Vulnerability

management (VM) is the means of detecting, removing and controlling the inherent risk
of vulnerabilities. Scaling the vulnerability management program is important to address
company requirements, complexity, and its IT environment. Even the smallest companies
can operate manual vulnerability management processes. However, the use of automation
and workflow are recommended to ensure consistency, compliance), and to reduce cost.
The vulnerability management maturity model shown below illustrates the scalability of
the vulnerability management program.

Page 1
Document title: Project Plan Project name: Vulnerability
Management
Version: 1.0
Issue date: 11/10/17

2 Scope of the project

The only way to properly secure a system is to first assess the existing vulnerabilities on
each machine, determine the degree of risk for each machine's vulnerability, and then
remediate (fix) the vulnerabilities. Vulnerability management provides a holistic solution
to security threats by handling vulnerabilities throughout the entire lifecycle. Lifecycle
includes

2.1 Maintaining an Asset Inventory

Many organizations lack an effective asset inventory. Without an asset inventory, it is
difficult for systems and network engineering groups to sift through security alerts and
know which ones to monitor for. There are many open source and vendor specific tools
available to track and manage assets in an organization. As organizations merge with and
absorb other companies, their networks are typically joined together, but never truly
homogenized. The lack of resources, proper tools, and assigned responsibility become the
biggest obstacles to maintaining an accurate and up-to-date inventory. Some of the
common challenges are change management, rogue servers, pocketed environments
inside the network etc.

Best practices:
Establish a single point of authority for the inventory
Get the word out! If the process is being improved or is completely new, end users
and support staff will need to know who to notify when something changes.
Update inventory management systems via change management processes.
Use an asset numbering scheme and use consistent abbreviations and notations
when entering data.
Validate the inventory annually

2.2 Assessing risk level of assets and vulnerabilities

In risk management, the 3 objectives are to preserve the confidentiality, integrity, and
availability of information systems. Before an organization can truly mitigate risk, its
security team must assign a risk level to new vulnerabilities as they are announced. This
exercise is important since organizations have limited resources and time before new
vulnerabilities are exploited. Assigning risk levels allows companies to prioritize large
amounts of work to a limited resource pool and still minimize the likelihood that a threat
will be realized. Threat levels are assessed by the in-house security analysts and/or
frameworks provided by NIST and CSIRT can be used to determine risk pertaining to
specific environment. One of the biggest challenges of assigning risk to new
vulnerabilities is a lack of information. If an organization does not have documented
knowledge of its own assets, network design, defense-in-depth strategies, and processes,
they will find it difficult to quickly and accurately assess the risk level of the

Page 2
Document title: Project Plan Project name: Vulnerability
Management
Version: 1.0
Issue date: 11/10/17

vulnerability. For the smaller organization, this data can be fairly easy to collect and
document.

Best Practices:
Checklists to help with predictable risk

Published risk evaluations for vulnerabilities and meanings of those risk

assessments

Established and stringent change administration process

Defense-in-Depth approach.

2.3 Performing vulnerability assessments

Vulnerability Assessment (VA) is the process of identifying vulnerable assets. The
VA team functions as the ethical hacker and attempts to find and fix
vulnerabilities before a malicious hacker does. It is crucial for organizations to
identify vulnerable systems quickly and accurately. One of the biggest challenges
in Vulnerability Assessment is the understanding of what to assess.
Best Practices:

Performing vulnerability assessments can be a time consuming and tedious

process.
Always begin with a benefit inventoryif you don't have one, make one
utilizing nmap to filter your system.

Test new checks in a lab to recognize any false positives, false negatives,
and potential administration disturbances.

Follow one of the systems or controls gave by SANS to distinguishing the

holes in the association.

2.4 Tracking remediation and report status

Effective reporting is critical because without it, management and system

administrators will not understand the organizations security posture, what
remains unfixed, and who should be held responsible. Reporting also gives
management something tangible to associate with the vulnerability and a way to
measure successes and failures. Remediation tracking brings Vulnerability
Management full circle. Proper documentation and tracking structure is critical for
successful remediation and reporting on the patching statuses.

Page 3
Document title: Project Plan Project name: Vulnerability
Management
Version: 1.0
Issue date: 11/10/17

3 Scanner selection process

As vulnerability management is the process surrounding vulnerability scanning, it is

important to understand how vulnerability scans are performed and what tools that are
available. Thorough testing is required to be done before selecting a vulnerability scanner
as most of scanners result in false positives and a secondary tool needs to be used for
verification purposes. Another aspect to look out for while selecting a tool is its reporting
capability. Reporting for vulnerability assessment is equally important as the process
itself. If the reporting is not accurate and comprehensible, respective teams would have
difficulty fixing the issues and hence defeats the purpose. Organizations can also leverage
tools like Open VAS which are opens source and free to use tools for the purpose of
validation of results generated by other tools.

Page 4
Document title: Project Plan Project name: Vulnerability
Management
Version: 1.0
Issue date: 11/10/17

4 Roles and Responsibilities

When building a vulnerability management process, the following roles should be

identified within the organization:
Security Officer: The security officer is the owner of the vulnerability
management process. This person designs the process and ensures it is
implemented as designed
Vulnerability Engineer: The vulnerability engineer role is responsible for
configuring the vulnerability scanner and scheduling the various
vulnerability scans.
Asset Owner: The asset owner is responsible for the IT asset that is
scanned by the vulnerability management process. This role should
decide whether identified vulnerabilities are mitigated or their associated
risks are accepted.
IT System Engineer: The IT system engineer role is typically responsible
for implementing remediating actions defined as a result of detected
vulnerabilities.

Page 5
Document title: Project Plan Project name: Vulnerability
Management
Version: 1.0
Issue date: 11/10/17

5 Communications Plan
To be developed..

What info do they

Who - stakeholder need Why do they need it When will they get it How will they get it
Initial version via "Project Scope
section" of standard "IT / User
Project Agreement". Update via
Already have initial version, will get an extract of executive summary from
High level update when Project Functional Functional Specification when it is
understanding of To understand what they are Specification with User Interface produced, and a demo in person of
Client sponsor functionality sponsoring Prototype is completed. the prototype.
To understand the progress the
Progress & financial project is making, to monitor the
status ROI Monthly Copied on monthly status report.
Draft during specification phase, final Review and approval of draft & final
Client Project Detailed functionality To approve specifications with the version when specification is Functional Specification and
Manager description users completed. Similar with prototype. prototype.
To agree on business involvement
Detailed project plan for project, key milestones, overall When first draft of planning process is Project Plan document for revierw
with finances budget. completed. and approval.
Details of acceptance Acceptance Test Plan and
test process and test To agree with the project how the During test preparation phase as Acceptance Test Cases for review
cases work will be deemed "complete" defined in Project Plan and approval.
To understand how the work is
Detailed progress & progressing, changes to the
financial reports business involvement. Monthly Copied on monthly status report.
To authorize additional
expenditures, changes in
Details of requested functionality, changes in working As they are raised, either by Formal project change request form
changes practices. business side or project side. for review and approval.
This section may also describe a process by which constant monitoring of the effectiveness of the project
communications is undertaken.

Page 6
Document title: Project Plan Project name: Vulnerability
Management
Version: 1.0
Issue date: 11/10/17

6 Step-by-Step process

The preparation phase is the first phase in a vulnerability management process.

To prevent being overwhelmed by thousands of vulnerabilities identified in the
first scans, it is recommended to start with a small scope. This can be achieved
by starting out with a small number of systems or by limiting the number of
vulnerabilities identified by the vulnerability scanner. The preparation phase is
mainly the responsibility of the Security Office in an organization. The first step is
to define the scope of the vulnerability management process. It is important to
obtain an agreement which systems will be included or excluded from the
vulnerability management process. Besides the in-scope systems, an organization
should also determine the type of scans. Possibilities can include either an
external scan performed from the perspective of an external attacker on the
internet or an internal scan from the perspective of an attacker on the internal
network. Both types of scans can be either unauthenticated or authenticated
scanning.
An external scan provides an overview of security vulnerabilities which are
vulnerabilities which are visible from the local network, taking into account host
based security controls that are present on the target system. By performing an
internal scan of each component in an architecture, the results can provide
information on how well each layer is secured. The small scope will allow the
stakeholders involved to focus on implementing the process and prevent them
from being overwhelmed with vulnerability information from hundreds or
thousands of systems. Informing IT, specifically teams managing firewalls, IDS
or other security monitoring systems, should be part of any vulnerability
management process. The alerting on such systems is often triggered by
vulnerability scanning tools, so its important to ensure these teams are aware of
the vulnerability scans. The last step of the preparation phase consists of
planning the vulnerability scans. Depending on the scan configuration which
includes the number of vulnerability checks, authentication scan type, and
applications installed on the target, a vulnerability scan against a single IP

Page 7
Document title: Project Plan Project name: Vulnerability
Management
Version: 1.0
Issue date: 11/10/17

address can take between a few minutes to a few hours. In case it is unclear how
long a certain scan could last, it is recommended to perform a test scan on a
similar test environment. This will provide an estimate on long these scans will
take and their impact on the network.

Page 8