Vulnerability Management Program

Why it matters

Unpatched vulnerabilities are the primary vector for infrastructure compromise and data breach. Without continuous scanning and enforced remediation timelines, critical exposures can persist undetected for months, significantly increasing the window of opportunity for attackers. Weak or reactive vulnerability management directly correlates with breaches involving known-vulnerable components.

Evidence to collect

• Authenticated vulnerability scan results from past 90 days showing date, scan scope, and findings count (e.g., Tenable Nessus report, Qualys report, or AWS Inspector findings export)
• Remediation SLA policy document defining severity tiers and closure deadlines (critical ≤7 days, high ≤30 days, medium ≤90 days)
• Vulnerability tracking tickets (minimum 10 samples) showing creation date, finding ID, assigned remediation owner, and closure evidence (patch applied, re-scan confirmation, or risk acceptance)
• Monthly leadership report covering open critical/high findings with aging analysis (showing which findings exceed SLA by days)

Testing procedure

Request scan reports from the past 90 days and verify that authenticated scans executed weekly (or per documented frequency); confirm scan includes all production infrastructure in scope. Pull a random sample of 15 findings across severity levels from the past 6 months and verify each has a corresponding tracking ticket with closure evidence (patch, re-scan proof, or dated risk acceptance) and that closure date aligns with SLA. Review the most recent monthly leadership report and confirm it lists all open critical/high findings and calculates days-past-SLA; if any findings exceed SLA, verify escalation occurred.

Common gotchas