Describe your network vulnerability management program, including scanning frequency, tools used, and remediation SLAs.

Explanation & Context

Explanation of the Question

This question is asking you to detail how your organization identifies, assesses, and addresses potential weaknesses in your network. Essentially, it wants to know how often you check your network for vulnerabilities, what tools you use for these checks, and how quickly you plan to fix any issues that are found.

Why It Matters

A robust network vulnerability management program is critical for maintaining the security and integrity of your network. Regular scanning helps identify potential security gaps before they can be exploited by attackers. Using reliable tools ensures that these scans are thorough and accurate. Establishing Service Level Agreements (SLAs) for remediation provides a clear timeline for addressing vulnerabilities, which helps in minimizing the window of opportunity for attackers.

Example of Evidence

To demonstrate fulfillment of this question, you might provide a document that outlines your vulnerability management policy. This document should specify the frequency of scans (e.g., weekly, monthly), the tools employed (e.g., Nessus, OpenVAS), and the remediation SLAs (e.g., critical vulnerabilities to be addressed within 7 days, high vulnerabilities within 30 days). Additionally, you could include reports from recent scans and evidence of completed remediation actions to show that the program is actively maintained and effective.

Example Responses

Example Response 1

Our network vulnerability management program involves weekly automated scans using Heroku's built-in security tools and manual reviews every quarter. We utilize third-party tools like Snyk for additional checks. Our remediation SLAs require critical vulnerabilities to be addressed within 7 days and high vulnerabilities within 30 days.

Example Response 2

We conduct daily automated vulnerability scans across our AWS infrastructure using Qualys and Nessus. Our remediation SLAs are stringent, with critical vulnerabilities requiring resolution within 48 hours and high vulnerabilities within 14 days. We also perform bi-weekly manual penetration tests to complement our automated scans.

Example Response 3

As our software is exclusively on-premises and not exposed to the public internet, we do not follow a network vulnerability management program as traditionally defined. However, we perform regular internal security assessments and audits to ensure our systems remain secure.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron