🧱 Vulnerability Management SOP

APJ Enterprise LLC — NIST SP 800‑40r4 | NIST SP 800‑53 Rev.5 (RA‑5, SI‑2, CA‑7)

1. Objective

Provide a repeatable workflow to discover, prioritize, remediate, and verify vulnerabilities across the environment.

2. Workflow (7 Steps)

1. Discover: Run authenticated scans (agents/credentialed).
2. Prioritize: Use CVSS + exploitability + asset criticality.
3. Assign: Create ticket with owner and due date (SLA: Critical ≤ 15 days, High ≤ 30).
4. Remediate: Patch/config change/compensating control.
5. Validate: Rescan or alternate validation (EDR telemetry).
6. Document: Update POA&M with status and evidence.
7. Report: Monthly metrics to leadership.

3. Patch Validation Checklist

| Item | Yes/No | Notes | |—|—|—| | Patch deployed to test ring | | | | No adverse effects observed | | | | Production rollout approved | | | | Post‑patch rescan clean | | | | POA&M updated with evidence | | |

4. Sample Vulnerability Scan Summary

| Asset | Critical | High | Medium | Low | Last Scan | |—|—|—|—|—|—| | APP‑WEB‑01 | 2 | 4 | 7 | 10 | 2025‑10‑05 | | DB‑SQL‑01 | 0 | 1 | 3 | 6 | 2025‑10‑05 |

---

Owner: Vulnerability Manager • Last Updated: