ProCess 191
e same kinds of service levels are provided for VM services.
Although many organizations choose not to create SLAs for VM, it
is certainly beneficial to position the entire discipline as a service to
the business that has a measurable outcome. e value of the measur-
able outcome is discussed in the description of the business case and
charter for a VM program in Chapter 3.
For now, let’s consider some basic metrics for VM as a service:
list of highest-risk business units,•
percentage of all vulnerabilities remediated monthly and •
quarterly,
percentage of estimated number of targets audited quarterly,•
percentage of critical vulnerabilities remediated versus dis-•
covered monthly and quarterly, and
average time to remediation ...