In the vulnerability management process the risk caused by information security vulnerabilities are classified and mitigated.
The default vulnerability management process requires the Vulnerability-Manager
to enter specific information to a pre-defined table in the first step.
The columns are a short description of the new identified information security vulnerability, the date of discovery, information about how the vulnerability was identified and a contact.
In the subsequent question-step, the risk caused by the vulnerability needs to be classified as 'low', 'medium' or 'high'.
In this context, a classification of 'low' means there is a low probability of an attacker exploiting this vulnerability.
A classification of 'medium' means that under specific circumstances, an attacker might be able to exploit this vulnerability.
Classifying the risk as 'high' means there is a high probability of attacker exploiting this vulnerability.
Depending on the classification, the Vulnerability-Manager needs to execute three different types of steps.
If the risk is classified as 'low', the Vulnerability-Manager can enter free-text describing how and by when the vulnerability will be treated (left path).
If the risk is classified as 'medium', the Vulnerability-Manager needs to upload a document, describing how and by when the vulnerability will be treated in detail (path in the middle).
Finally, if the risk is classified as 'high', the Risk-Manager
is informed about the issue and asked to start a risk management process analyzing the risk in detail.
As with the other processes, all data from the executed instances of the vulnerability management process are collected and can be accessed and exported by the process owner at any time.
You can sign-up
for free or contact us
if you have any questions.
With the Cybermain Governance platform, you can easily create arbitrary processes by defining and connecting process-steps.
There are question-steps, steps in which a file upload is requested, steps in which a table has to be filled out, free-text is required or someone is informed with a message and needs to confirm that message.
The processes can be executed by users, roles or groups in an organization.
As soon as a new step has to be carried out, the corresponding users are automatically informed.
The collected information is securely stored and can be exported by the process owner.
Create arbitrary processes for your organization or adapt and use default processes.