Skip to content

Baseline for Vulnerability Management

These principles and checklist are intended to be used as a high-level self assessment to determine the capability and maturity of a vulnerability management (including patching) function for organisations connected to the WA SOC. Note this excludes the Governance, Risk and Compliance (GRC) roles and is focused primarily on undertaking operational Identify and Protect capabilities under the WA Cyber Security Policy (and takes into consideration the oversight capabilities available entities in scope of the WA SOC).

Vulnerability management principles (NCSC)

The UK NCSC's excellent Vulnerability management guidance lays out five principles intended to help organisations establish an effective vulnerability management process:

  1. Put in place a policy to update by default: Apply updates as soon as possible, and ideally automatically, in line with our best-practice timescales.
  2. Identify your assets: Understanding what systems and software you have on your technical estate, who is responsible for what, and which vulnerabilities are present.
  3. Carry out assessments by triaging and prioritising: If updating to the latest version of the affected software doesn’t fix the reported vulnerability or misconfiguration, or there isn’t an update to address the issue yet, you will need a process to triage and prioritise.
  4. The organisation must own the risks of not updating: There may sometimes be legitimate reasons not to update. The decision not to is a senior-level risk decision, and should be considered in the wider context of organisational risk management policy and practice.
  5. Verify and regularly review your vulnerability management process: Your vulnerability management process should always be evolving to keep pace with changes in your organisation’s estate, new threats or new vulnerabilities.

The links embedded in the checklist below are to recommended approaches that can be used for implementation, however any equivalent capability is suitable as long as the organisation is able to maintain an up to date asset database with a full inventory of devices, resources (compute, storage, network), software and code repositories in use.

Checklist

WA Government Vulnerability Scanning Service

The WA SOC makes available a Tenable based vulnerability scanning platform as a straightforward way to implement ongoing posture scanning and maintenance in a coordinated manner. Usage of this platform also improves threat monitoring and remediation assistance available to the sector.