255
8
pl a n n I n g
8.1 Introduction
Up to this point, I have discussed the various aspects of vulnerability
management (VM) and their relevance to the overall VM process. I
have also described the broader role of VM in an organization’s risk
management function and maintenance of security posture. Many of
the individual stages of implementing VM have been described, such
as the development of policies, processes, and requirements. But, what
is needed now are a project plan, checklists, and strategies to get the
program off the ground.
is chapter will provide you with the checklists, plans, strategies,
and advice to help you develop a complete VM program in a large,
globally distributed company. Some selectivity and tailoring will be
required to match specific program needs, which may include the fol-
lowing components:
VM program charter,•
business case,•
requirements document,•
security architecture proposal,•
project plan,•
request for proposal,•
implementation plan,•
operations process document,•
asset valuation guide, and•
vulnerability and remediation policy.•
Each of these documents informs the subsequent one. e process is
not linear but rather a series of feedback loops of decreasing iteration
over time. When you write the program charter, it will set the tone for
the business case. Research for the business case may provide discov-
ery that will modify your charter. As the requirements are developed,
256 Vulnerability ManageMent
you may find additional benefits not originally articulated in the busi-
ness case that will increase the scope of the project but are essential to
the organization. en, you may decide to adjust your business case
and present it to management for additional funding.
In any project, we must acknowledge from the outset that you are
not going to create and operate a perfect project plan from the begin-
ning. Every project is a learning process and, although I have provided
you with advice for the framework here, more complete documenta-
tion and project management will be required. is is not a chapter
on how to manage a project. We will instead discuss critical charac-
teristics of a VM project.
8.2 Charter Development
e VM program charter is a very important document that sets the
goals and objectives of the program as well as the business rationale.
e former point is obvious but the latter is the most important. For
the program to be successful, senior management must understand
and accept that there is real business value.
8.2.1 Introduction: Business Value
Business value must be articulated up front in the introduction of a
charter. It answers the critical question: “why should I spend money
on this?” is value can be presented in many ways; for example:
Provide tangible examples of what may typically be broken •
and why it must be xed. is can be a short list of vulner-
abilities that have been exploited at other companies and have
caused quantifiable damage. It is also important to make the
case that the potential damage from vulnerabilities has a cost
to the business in downtime and added labor beyond that
which would be required for a VM program. is topic is
more exhaustively explored in Philip B. Crosby’s book Quality
Is Free: e Art of Making Quality Certain.*
*
McGraw-Hill, 1979.

Get Vulnerability Management now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.