IT Security Vulnerabilities Program Use Case Design

The Devices application serves as a central repository for knowledge, such as criticality, about IT devices and which applications they support. You can manage devices to ensure that they are protected according to management expectations. The application is also associated with other aspects of the enterprise infrastructure.

Note: The Devices application is included in the Enterprise Catalog package.

The Vulnerability Tickets application provides a method of creating and assigning tickets to specific vulnerability scan results. The application allows tickets to be assigned to a specific owner, who has 1 of 4 ways for addressing a ticket:

• Create Exception Request
• Open Finding
• Create a Simple Remediation Plan
• Create Formal Remediation Plan

Each ticket includes information from the vulnerability scan result and related devices, as well as patches used to complete simple remediation. Metrics automatically tracked by the ticketing application include the number of days open, ticket status, scanner verification, and the status of associated vulnerability scan results.

The Vulnerability Scan Results application stores the issues that result from every new record that is created from the vulnerability scanner such as Device Name, IP, owner, department, description, notes, recommendations, and much more. These records contain the technical recommendation for each scan result and allow for reporting on the total number of issues, regardless of which system detects it.

The Vulnerability Historical Data application provides a method for monitoring historical trends in the Vulnerability Scan Results application. The following metrics are recorded and tracked:

• Vulnerabilities by Severity
• Vulnerabilities by VSR Overall Status
• Count of Devices
• Count of Devices Scanned (Last 30 days)

The vulnerability scan results are grouped into the following dimensions:

• All Dimensions
• Application
• Business process
• Business unit
• Technologies - Product
• Technologies - Vendor

Records in the Vulnerability Historical Data application represent a snapshot of a point in time for a specific dimension and device. Information is populated into Vulnerability Historical Data on a daily basis through a data feed that aggregates statistical data from the Vulnerability Scan Results application.

Important: The VSR Overall Status and Severity fields located in the Vulnerability Scan Results application are closely tied to the data feeds for Vulnerability Historical Data. Altering the values or configuration of those fields could lead to the data feed not functioning properly, or a loss of data transfer.

The Applications application stores all software applications used by the organization to perform business operations. You can view how an application is used, the people that use it, and the devices on which the application is installed. You can also track the business impact, customer impact, and licensing details, and associate it with other aspects of the enterprise infrastructure.

Note: The Applications application is included in the Enterprise Catalog package.

The Business Unit application provides a detailed view of all activities related to the specific business unit.

Note: The Business Unit application is included in the Enterprise Catalog package.

The Vulnerability Scan Definition application documents recurring or 1-time vulnerability scans for reporting purposes. Vulnerability scans can be conducted on a regular or periodic basis as part of the threat management program, for example, Quarterly PCI Scans or scans of externally facing servers. Vulnerability Scans can also be conducted on a "transactional" basis for a singular purpose, such as an application scan or as part of a threat assessment.

Through the Vulnerability Scan Definition application, you can:

• Define recurring operational scans including scope, ownership, frequency and other attributes.
• Document individual "1-time" scans as documentation for other threat processes such as pre- or post-implementation reviews and threat assessments.
• Relate individual results from the Vulnerability Scan Definition application through Vulnerability Scan Results.
• Relate to Threat projects to document individual scans run as part of threat project.

The Vulnerability Library application represents a catalog of vulnerability data collected from Archer Exchange integration offerings. The Vulnerability Library is updated each week or month by data feeds depending on the source. The library includes data points such as:

• Vulnerability publication date
• Title
• Consequence
• Recommended solution
• Severity
• CVSS scoring

Records can be linked to affected devices, vulnerability scan results, and malicious code found to exploit the vulnerability. The Vulnerability Library also provides a method for generating exception requests, identifying mitigating strategies, and denoting affected ports.

By tying vulnerabilities to assets, you can properly analyze, prioritize, and respond proactively to address the threat for vulnerable assets. The Vulnerability Library provides the ability to:

• Automatically import data from Archer Exchange integration offerings.
• Notify appropriate personnel automatically when new vulnerabilities are identified.
• Research potential threats and produce real-time reports that aid in the creation of action plans.

The Patches application contains patch information that is populated from threat feeds.

The Technologies application provides a searchable and extensible repository of technology version information that can be leveraged to relate devices of like technology. Devices can be identified and grouped using 1 of the 3 tiered hierarchical values lists detailed:

• Operating System Technology. This list details information such as the operating system vendor, product, and version of the operating system.
• Application Technology. This list contains information such as the application vendor, name, and version of the application.
• Hardware Technology. This list describes information relating to hardware vendor, including name, description, and technology version naming conventions.

Users can filter technologies that have been company approved and view reports detailing known vulnerabilities threatening their technologies.

Note: The Technologies application is included in the Enterprise Catalog package.

The Vulnerability Scan Request application allows you to request a vulnerability scan on a particular device, application, network segment, or IP range. The application includes fields to document the request including requestor and manager information, scope of scan, date/time, type of scan, and priority.

The Malicious Code application collects malware data regarding worms, Trojans, rootkits, spyware, crimeware, viruses, and other hostile or intrusive program code. By tying malicious code to asset data, you can properly analyze, prioritize and determine the required remediation based on asset criticality rating. Through the Malicious Code application, you can:

• Automatically import data from an intelligence feed.
• Auto-notify appropriate personnel when new malicious code is identified.
• Research potential threats and produce real-time reports that aid in the creation of action plans.

The Findings application allows you to document issues, deficiencies, or gaps found through assessments and control testing. Findings are either auto-generated from questionnaires, including links back to the questionnaire, target, and any applicable control standards and authoritative sources, or are manually generated by users. Findings can be resolved through remediation tasks and/or exception requests.

Through the Findings application, you can:

• Review findings that are auto-generated through the results of assessments and control testing.
• Use automated workflow to route findings to the appropriate personnel.
• Mitigate findings through remediation tasks and/or exception requests. The system calculates residual risk and compliance status based on the resolution of findings.
• Relate multiple findings in the context of a remediation plan.
• Track tasks associated with findings resolution.

The Exception Requests application allows you to manage the process of granting, denying, and expiring exceptions to the remediation required in a finding. Through built-in workflow, the application ensures that all exceptions are properly reviewed. The tool can also report on exceptions across the enterprise, monitoring them by control, department, or severity.

Through the Exception Requests application, you can:

• Enable employees to submit exception requests through an easy-to-use web interface.
• Allow designated individuals to evaluate exception requests and approve or deny the requests based on risk posed to the business.
• Grant exceptions for a specific period of time and notify proper personnel as expiration dates approach.
• Enable management to track granted exceptions, facilitating periodic reviews of exceptions and the exceptions’ impact.
• Allow employees to track the status of their own policy exception requests through My Requests reports.
• Understand the policies or standards with the most approved exceptions and use the information to support training and awareness programs.

The Remediation Plans application allows you to document the specific actions management plans to take to address identified gaps and issues. You can capture key details about remediation efforts, including estimated and actual costs, timelines, owners and detailed actions. You can associate multiple remediation plans with a single finding and track each effort individually. You can also relate a single remediation plan with multiple findings in the event that an action is designed to address multiple issues.

The Storage Devices application serves as a central repository for storage devices used within the infrastructure.

Note: The Storage Devices application is included in the Enterprise Catalog package.

The Company application stores general, financial, and compliance information at the company level. Combined with the Division and Business Unit applications, this application supports roll-up reporting of governance, risk, and compliance initiatives across the enterprise.

Note: The Company application is included in the Enterprise Catalog package.

The Division application represents the intermediate unit within the business hierarchy which is a layer below the high-level company and a layer above the individual business unit. You can use this application to further document the relationships within your business and measure the effectiveness and compliance of individual divisions within the enterprise.

Note: The Division application is included in the Enterprise Catalog package.

This role provides the appropriate access levels to Analysts within the ITSVP use case to perform analysis and classify vulnerabilities accordingly.

This role provides the appropriate access levels to Operators within the ITSVP use case.

This role establishes the rights for Executive Management within the ITSVP use case. Users with this role are provided with read access to ITSVP applications.

This role provides access levels to the appropriate line of business within the ITSVP use case.

The ITSVP Business and Executive Management dashboard provides a high-level overview of the ITSVP use case. This dashboard displays information about vulnerability scan results, devices, and vulnerability tickets. Users can also sort vulnerability remediation plans, findings, and exception requests by status to see which ones are in progress, closed, approved, or expired.

Only users assigned to the ITSVP: Business Management or ITSVP: Executive Management roles can view the ITSVP Business and Executive Management dashboard.

The ITSVP Analyst dashboard provides information about the severity and status of vulnerability definitions and vulnerability scan results. This dashboard organizes vulnerability definitions by month to help Analysts draw comparisons. Analysts can also view open vulnerability tickets assigned to them.

Only users assigned to the ITSVP: Analyst role can view the ITSVP Analyst dashboard.

The NIST NVD integration does the following:

• Catalogs vulnerabilities using the Common Vulnerability Enumeration (CVE) standard defined by the US Government
• Builds a base Vulnerability Library recognized as the security industry standard
• Supports NVD's JSON CVE data feed format

For more information about NIST NVD, including how to set up the integration data feeds, see "NIST National Vulnerability Database Integration" on the Archer Exchange at https://www.archerirm.community/t5/exchange-overviews/nist-national-vulnerability-database-integration/ta-p/564705.

The Qualys Vulnerability Management integration does the following:

• Catalogs network devices on a corporate network
• Discovers network device vulnerabilities using scanning technology
• Supplements the Vulnerability Library application with the Qualys knowledge base

For more information about Qualys, including how to set up the integration data feeds, see "Qualys Vulnerability Management Integration" on the Archer Exchange at https://www.archerirm.community/t5/exchange-overviews/qualys-vulnerability-management-integration/ta-p/573408.

The Tenable.sc Vulnerability Management integration does the following:

• Catalogs network devices on a corporate network
• Discovers network device vulnerabilities using scanning technology
• Supplements the Vulnerability Library application with Tenable's plugins for vulnerability information, a simplified set of remediation actions, and an algorithm to test for present security issues

For more information about Tenable.sc, including how to set up the integration data feeds, see "Tenable.sc Vulnerability Management Integration" on the Archer Exchange at https://www.archerirm.community/t5/exchange-overviews/tenable-sc-vulnerability-management-integration/ta-p/573423.