BITS Vulnerability Management Toolkit
What is Vulnerability Management?
Vulnerability Management is a critical discipline widely recognized across enterprises of all industry sectors, and yet little is available to provide a common language, practice, and expectations. This leaves enterprises to identify their own gaps without clarity of what they might be missing and to define and redefine roles, without a model. Despite shared challenges, knowledge sharing is typically infrequent and informal and often compounded by the lack of a common reference point.
The BITS Vulnerability Management Initiative assembled vulnerability practitioners from Bank Policy Institute member institutions. The objective was to create an accessible set of foundational documents to assist financial services institutions in defining the scope, framework and direction of their vulnerability management programs. The documents are intended to provide practical guidance, common terminology and clear targets for maturing the discipline in member organizations. The resulting framework seeks to be directional and practical, while allowing for varied local implementations.
The level of detail in completed products is intended to respect the individual member organization’s needs and methods while providing clarity of key concepts.
Scope
This toolkit considers Vulnerability Management as the practice of identification, assessment, reporting and disposition of technology weaknesses threatening information security associated with software and hardware.
In the scope of this toolkit:
- Information technology (IT) infrastructure
- Software
- Application code
- Container technologies
- Cloud-based resources
- Appliances (vendor-provided integrated hardware-software assets)
- Secure configuration assessment (SCA) against hardening baselines
- End-of-security-life (EOSL) management
Out of scope of the intent of this toolkit:
- Third-party vendor risk management (including SaaS)
- Physical security
- Business continuity/disaster recovery
- Cyber incident response
- Threat prevention and reduction
- Personnel procedure error
Access the Complete Vulnerability Management Toolkit
Foundational Artifact Suite
- Maturity Model — This document presents the significant processes and sub-processes of the vulnerability management discipline. Verbiage for each sub-process describes five respective maturity levels. This provides member organizations with a target picture for each sub-process at each stage of maturity.
- Process Health Metrics — This document comprises a primary set of metric definitions that can apply to member organizations. Metrics are provided for the three categories of security operations; remediation response; and organizational risk. The metrics serve to measure the health of vulnerability management processes, and to provide a foundation for potential future benchmarks across member organizations.
- Vulnerability Risk Index [Members Only] — This document provides a logical model for asserting the trended risk presented to the organization across vulnerabilities of all types. It considers attributes related to vulnerabilities, assets and time. It can be used to provide senior management with an assessment of risk relative to other periods in time to be trending one way or the other; and to be assessed as higher or lower than defined targets.
- Recommended Organizational Framework — This document provides a framework of roles and activities to be expected in a viable vulnerability management program. The document is intended to allow member organizations to identify gaps or conflicts in the focus afforded to the primary functions of a vulnerability management program.
- Glossary — This document defines terms relevant to vulnerability management. It is intended to provide member organizations a common language for discussion, and for potential use in future process and metric definitions.