Vulnerability Management Assessment and Response


Cybersecurity Essentials: Part 5

All organizations need to protect their systems and data from cyber-attacks, which means that all organizations need to implement a cybersecurity program. Our monthly blog, “Cybersecurity Essentials,” details the elements of a comprehensive program to ensure you are accounting for privacy concerns, compliance issues, and the policies and procedures critical to maintaining a secure organization and a culture of cybersecurity.

In part 1 of our series, we addressed privacy concerns as they extend to employee records, client or customer records and communications, and the use of mobile devices.

In part 2, we shifted our focus to a discussion of a security program, which includes training, policies, and other steps required to protect your organization’s sensitive data.

In part 3, we introduced some tools—applications and solutions—you can use to safeguard your organization from hackers.

In part 4, we offer five rules for “system hardening,” that is, tightening up access and adding security to ward off potential hackers.

Part 5, the final in our series, consists of four “vulnerability management assessment and response” initiatives that are key to maintaining a secure organization and a culture of cybersecurity. All four need to be reviewed and updated on a recurring basis as your security environment changes, as the threat landscape changes, as your organization evolves in terms of structure, size, and geographical footprint. Through these changes, you can reference your vulnerability management assessment and response initiatives to ensure and validate that you are positioned properly in terms of your security posture.

Establish a vulnerability management program.

At the core of your program is the fundamental process of software management, a continuous evaluation of your software applications for an understanding of your potential vulnerabilities. That includes ensuring you are using the latest software updates, which will include security updates, and if you are using unsupported applications, that you understand where they might be vulnerable.

Set incident response policies.

These policies will set the standard of behavior and a structure for your response activities. They will include a definition of roles and responsibilities, how to understand the severity of an incident, and how and to what levels of authority incidents are reported. Include will be a statement of the purpose and objectives of your incident response policies, and of management’s commitment to and rationale behind the policies to demonstrate management’s vested interest and ensure companywide buy-in.

Establish incident response procedures.

As opposed to policies, procedures are step-by-step instructions on what to do in responding to an incident. They will differ from business continuity or disaster recovery activities in that they are your internal process for reporting an incident: who to report to and what information to report. The reporting process will is unique to each business, and will require the organization to determine its expectations as well as a reporting structure and process.

Determine incident response roles and responsibilities.

Identifying the key stakeholders in critical roles, those who will be responsible for leading the response in the case of a security incident, is essential to being able to respond effectively. As with all vulnerability assessment and response processes, roles and responsibilities have to be evaluated and updated regularly. If you partner with an MSP, that will include determining their role, keeping contact information updated, and knowing the next person to call if a primary contact is not available. Keeping contacts and contact information current is critical because every minute spent trying to determine who to call is another minute the bad actors have access to your environment.

If you have questions or concerns, our Vertilocity team can evaluate your cybersecurity strategy and discuss your options with you. Call us at 412-220-5744, or email me at

About the Author(s)

Justin Krentz is a Principal with Vertilocity whose main responsibilities include account management, operations and new business development. His experience spans 14 years of selling managed services and comprehensive technology solutions to small and mid-sized businesses, with a primary focus on the healthcare sector. He has written several articles that have been printed in various healthcare societal publications and regularly speaks at medical societies on technology updates. Justin graduated from Ohio University with a B.S. in Marketing and received his MBA with a focus in Healthcare Management from Duquesne University.

Vertilocity, an HBK company, was created in 2021 with the merger of Vertical Solutions with HBK IT. The resulting entity operates out of HBK offices in Pittsburgh and Clark, New Jersey, and remotely in and around Denver, Colorado. In addition to expanding its IT services to its broad base of business clients, the merger enhanced HBK’s technological offering to its more than 600 healthcare business and institutional clients.

Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.