Vulnerability Management Assessment and Response

Date May 16, 2023
Authors Justin Krentz

Cybersecurity Essentials: Part 5

All organizations need to protect their systems and data from cyber-attacks, which means that all organizations need to implement a cybersecurity program. Our monthly blog, “Cybersecurity Essentials,” details the elements of a comprehensive program to ensure you are accounting for privacy concerns, compliance issues, and the policies and procedures critical to maintaining a secure organization and a culture of cybersecurity.

In part 1 of our series, we addressed privacy concerns as they extend to employee records, client or customer records and communications, and the use of mobile devices.

In part 2, we shifted our focus to a discussion of a security program, which includes training, policies, and other steps required to protect your organization’s sensitive data.

In part 3, we introduced some tools—applications and solutions—you can use to safeguard your organization from hackers.

In part 4, we offer five rules for “system hardening,” that is, tightening up access and adding security to ward off potential hackers.

Part 5, the final in our series, consists of four “vulnerability management assessment and response” initiatives that are key to maintaining a secure organization and a culture of cybersecurity. All four need to be reviewed and updated on a recurring basis as your security environment changes, as the threat landscape changes, as your organization evolves in terms of structure, size, and geographical footprint. Through these changes, you can reference your vulnerability management assessment and response initiatives to ensure and validate that you are positioned properly in terms of your security posture.

Establish a vulnerability management program.

At the core of your program is the fundamental process of software management, a continuous evaluation of your software applications for an understanding of your potential vulnerabilities. That includes ensuring you are using the latest software updates, which will include security updates, and if you are using unsupported applications, that you understand where they might be vulnerable.

Set incident response policies.

These policies will set the standard of behavior and a structure for your response activities. They will include a definition of roles and responsibilities, how to understand the severity of an incident, and how and to what levels of authority incidents are reported. Include will be a statement of the purpose and objectives of your incident response policies, and of management’s commitment to and rationale behind the policies to demonstrate management’s vested interest and ensure companywide buy-in.

Establish incident response procedures.

As opposed to policies, procedures are step-by-step instructions on what to do in responding to an incident. They will differ from business continuity or disaster recovery activities in that they are your internal process for reporting an incident: who to report to and what information to report. The reporting process will is unique to each business, and will require the organization to determine its expectations as well as a reporting structure and process.

Determine incident response roles and responsibilities.

Identifying the key stakeholders in critical roles, those who will be responsible for leading the response in the case of a security incident, is essential to being able to respond effectively. As with all vulnerability assessment and response processes, roles and responsibilities have to be evaluated and updated regularly. If you partner with an MSP, that will include determining their role, keeping contact information updated, and knowing the next person to call if a primary contact is not available. Keeping contacts and contact information current is critical because every minute spent trying to determine who to call is another minute the bad actors have access to your environment.

If you have questions or concerns, our Vertilocity team can evaluate your cybersecurity strategy and discuss your options with you. Call us at 412-220-5744, or email me at

Speak to one of our professionals about your organizational needs

"*" indicates required fields needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.