BITS Vulnerability Management Toolkit

What is Vulnerability Management?

Vulnerability Management is a critical discipline widely recognized across enterprises of all industry sectors, and yet little is available to provide a common language, practice, and expectations. This leaves enterprises to identify their own gaps without clarity of what they might be missing and to define and redefine roles, without a model. Despite shared challenges, knowledge sharing is typically infrequent and informal and often compounded by the lack of a common reference point.

The BITS Vulnerability Management Initiative assembled vulnerability practitioners from Bank Policy Institute member institutions. The objective was to create an accessible set of foundational documents to assist financial services institutions in defining the scope, framework and direction of their vulnerability management programs. The documents are intended to provide practical guidance, common terminology and clear targets for maturing the discipline in member organizations. The resulting framework seeks to be directional and practical, while allowing for varied local implementations.

The level of detail in completed products is intended to respect the individual member organization’s needs and methods while providing clarity of key concepts.


This toolkit considers Vulnerability Management as the practice of identification, assessment, reporting and disposition of technology weaknesses threatening information security associated with software and hardware.  

In the scope of this toolkit: 

  • Information technology (IT) infrastructure 
  • Software 
  • Application code 
  • Container technologies 
  • Cloud-based resources 
  • Appliances (vendor-provided integrated hardware-software assets) 
  • Secure configuration assessment (SCA) against hardening baselines 
  • End-of-security-life (EOSL) management 

Out of scope of the intent of this toolkit: 

  • Third-party vendor risk management (including SaaS) 
  • Physical security 
  • Business continuity/disaster recovery 
  • Cyber incident response 
  • Threat prevention and reduction 
  • Personnel procedure error 

Access the Complete Vulnerability Management Toolkit

Foundational Artifact Suite

Inquire About BITS Affiliate Membership

  • This field is for validation purposes and should be left unchanged.