Vulnerability Prioritization

Vulnerability Prioritization is the process of identifying and prioritizing vulnerabilities within systems, applications, networking infrastructure, devices, and hardware. Vulnerabilities exist in all technology assets. By taking an inventory of technology assets and identifying their vulnerabilities, actionable and prioritized plans can be created to facilitate fast, focused remediation, reducing overall vulnerability and risk.

The objectives of this initiative are as follows:

1. Review results from monthly scan activities and analyze using insights from industry and Client environment.
2. Prioritize technical vulnerabilities in the Client’s environment to focus remediation.
3. Provide progress of Client vulnerability remediation efforts over time.

Vulnerability Risk Management consists of the following:

1. INITIALIZATION MEETING – DeepSeas will host a kickoff meeting to conduct introductions and familiarize the Client with the initiative. This meeting will be no longer than sixty (60) minutes and it is intended to review the objectives, methodology, scope and deliverables in the Statement of Work.
2. PLANNING – Preparation necessary to conduct an effective test, including:
   1. Scope Definition – Identifying the scan scope and outputs that will provide the basis for the project.
   2. Schedule Development – Scheduling, project plan creation and resource identification.
3. SCAN ANALYSIS & PRIORITIZATION – Identification of priority technical vulnerabilities by performing the following:
   1. Monthly Vulnerability Scan Analysis and Prioritization - Review and analysis of scan outputs from scanning vendor, and prioritization of vulnerabilities by application of internal and public threat intelligence with markup of scanner output documents.
4. PROGRAM COLLABORATION - Collaborative vulnerability management workshop sessions to identify systemic program gaps:
   1. Monthly Client Meetings - Collaborative sessions with review and identification of systemic vulnerability management gaps based on scan results, summarized by a report on gap status/program progress and basic metrics reporting/summary.

DeepSeas will produce the following deliverables:

VULNERABILITY IDENTIFICATION 

Vulnerability Identification comprises i) vulnerability scan management; and ii) vulnerability reporting and results management delivered by DeepSeas and leveraging commercially available scanning tools.  

1. Vulnerability Scanning: Our solution includes vulnerability scanning of the Client’s internal “active”, Internet Protocol (IP) addresses. Scans of internal and cloud-based IPs are conducted from one or more Scan Appliances within your network or data center. Included in Vulnerability Scanning are the following components: 
   1. Manage/update scan profiles and scan schedules
   2. Launch and verify the execution of IVM, on-demand, and policy compliance scans
   3. Review scan results and generate reports
   4. Troubleshoot any detected problems with scans
2. Vulnerability Reporting: After vulnerability scans are executed, the next step is to review and analyze the scan results, in the form of various vulnerability reports. Included in Vulnerability Reporting are the following components: 
   1. Review scan results/reports
   2. Troubleshoot any detected problems with scan reports/report templates
   3. Provide a notated version of scan data output in an Excel document, and/or via online portal with Client approval, featuring priority vulnerabilities along with an email summary and any applicable notes.
   4. Prepare and deliver monthly reports/dashboards