In the complex world of cybersecurity and the ever-evolving technology that it works to protect, there are continuously enumerating challenges in the daily threat posture. As corporations such as a Financial Organization scale their digital services and technology, including on-premises and cloud infrastructure, their digital footprint multiplies and becomes increasingly more important to the business’ operations.

A primary component of securing the infrastructure behind online machines, business tools, and public facing components is by auditing and scanning resources to identify vulnerabilities. When vulnerabilities are discovered there needs to be a process established for upgrading the infrastructure, software, and remediation techniques to resolve incidents.

When considering the outlay of digital services that can be quickly affected and targeted, it is important to create a wide reach with a single pane of glass approach to catch and remediate vulnerabilities across the system. These threats are scaling with technology and becoming increasingly complex to defend against, growing over 200% between 2013 and 2022. The objective of planning for vulnerability management, is creating a policy that dictates, how, when, and who is handling this core goal of maintaining a secure environment.

These policies established through the vulnerability management program will enhance the capability of a Financial Organization to handle vulnerabilities and deter threats, enhancing the existing cybersecurity posture. As a practical guide to enabling the corporation to stay compliant within the industry, this policy and its procedures will enable the security team to rollout continuous remediations.

Objectives and goals

The Financial Organization vulnerability management program will seek to create a single pane of glass view that handles identification, scanning, remediation guidance, and review of the lifecycle for remediating infrastructure and software threats.

• Each vulnerability will be filtered through an established policy to identify if the vulnerability is high-risk and critical and will be remediate within the two-week cycle.
• Scanning and reporting of all assets will be automated through cloud software to deterministically evaluate the threats on a daily schedule.
• All assets from infrastructure, devices, and software will be scanned each day with a report of the critical errors and the exposure ranking of all vulnerabilities.
• Runtime assets, with high exploitability will be prioritized as critical, where other vulnerabilities will be resolved through the lifecycle as technical debt.

Through the lens of handling the critical errors first, then the proceeding errors, ranking all vulnerabilities on their exposure ranking and risk, will allow for prioritized remediation of all affected assets in the full system.

Through the NIST Cybersecurity Framework (CSF) 2.0, the Financial Organization will optimize the lifecycle of vulnerability management by applying focused objectives within this programs policy. These identifiable goals will become the pillars of this program, enhanced and adapted overtime to fit the scope of the cybersecurity goals to the objective.

Protecting the assets with identity management, authentication, and access control will mitigate external and internal actors that could use misconfigured or direct access to access vulnerabilities in the infrastructure. The continuous rollout of updated awareness training on the latest attack vectors will enhance for layers of authentication-based security from incidental threats, by empowering the first line of defense, the employees. Redundancy, failover, and availability will be configured for primary infrastructure to increase the technology infrastructures resilience.

Mitigating supply chain risks through on-board and off-boarding principles around any technical additions to the information technology stack will improve the resilience of the overall infrastructure. Incorporating new devices into the scanning and vulnerability identification process, before they are connected to the infrastructure, will reduce the inbound ability for creating downstream security issues.

Oversight across the business will create advocates in the various business activities, including operations and finance, to reduce the impacts of possible shadow IT and untrusted software from becoming a threat to the overall security posture.

These three (3) concepts, protecting, mitigating, and overseeing all aspects of the IT lifecycle will enhance the program’s ability to narrow down vulnerabilities and audit the data traveling across these information channels to defend it.

Outcomes

When applying this vulnerability management program to the Financial Organization, the framework objectives are focused on continuity of protection, overall mitigation, and reduced risk overall. Through training and certification in cybersecurity focuses, the effectiveness of the program, including its roles, will be measured on the following.

• Mean time to remediation is the average time it takes from identification to remediation, as this program lifecycle is two weeks at a time, this objective is to remove new vulnerabilities from the queue, each cycle, critical to low-risk to eventually achieve a bi-weekly update cycle.
• Risk score is an overall scoring of the level of vulnerability, weighted based on critical, high, and medium vulnerabilities. The lower the risk score the better, and the objective of the program is to stay lower than 50 medium risk with a target of 30 or less, low risk, over time.
• Asset Inventory Coverage is the ability for the vulnerability scanning and remediation to resolve threats across the network, where a number closest to 100% is best, with the program continuously aiming for 75% or greater coverage.

In following industry best practices and compliance standards Financial Organization will benefit greatly by focusing on established frameworks to seed maturity into this newly established program, allowing for adaptation and customization over time.

National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology produces a framework for cybersecurity that focuses on governance-based security which aims to unify the identification, protection, detection, response, and recovery of vulnerabilities (Boutin, 2025). Through this framework, members across the organization are stewards in shaping the alignment for security posture, installing their own processes like legal and human resources to handle different types of risks. These considerations around roles played in the security effort will be a primary concept to involve Financial Organization employees and increase security awareness.

International Organization for Standardization (ISO)

The International Organization for Standardization created the ISO 27001 model that focuses on conducting a risk assessment, developing a policy, assigning responsibility, implementing controls, conducting regular audits, providing training, and continuously monitoring (Kulkarni, 2024b). The ISO standard adds context to the continuous monitoring and shared responsibility aspects of this program for Financial Organization as independent departments will each play a role in advising the security procedures and known critical assets for the business.

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard developed an audit-based model with 12 points of security from strong passwords to firewalls, encryption, documentation of policies, restricted access, and protection of data. These standards are requirements for securely processing and controlling payment information from individuals using cards to make digital and physical transactions. As Financial Organization provides and accepts payments from vendors, customers, or business partners this plan will enable the vulnerability and risk management aspects of this standard to meet the pinnacle priority of protecting the cardholder data.

Roles and process

Through the distribution of roles and responsibilities in the cybersecurity posture individuals and their team units can incorporate their unique viewpoints that could surface unique suggestions and ideas on how to think about the context of the assets. When dividing and conquering the various products offered and established within Financial Organization it is important to view the security through the lens of the subject matter experts to truly incorporate industry standard security.

1. Executive Steering Committee: A group of the company policymakers from business in each category, from operations, sales, accounting, and information technology that combine their relevant industry concerns into a unified approach which is translated into technical requirements.
2. Asset Owners: Individuals that oversee the development and/or maintenance of internal assets which support the various business operations of the organization. These are the second inline decision makers who are very in-tune with the day to day demands and interactions with the company’s products.
3. Security Manager: A company officer in charge of the overall security posture from engineering to vulnerabilities that will make decisions about the path to achieving the outlines results from executives and asset owners.
4. Security Analysts: Information focused practitioners that analyze and support detection of risks in the security posture, planning for future unknowns, and analyzing the existing infrastructure.
5. Security Engineers: Code and infrastructure engineers the assembled, remediation, and establish procedures driven from the day to day up to the larger policies created by the steering committee.

This vulnerability management process will align the core policies and metrics to evaluate the security posture of the business and enhance the awareness of known vulnerabilities in the system to remediate exposure and reduce risk through a series of planned phases.

Identify

In the identification phase, the assets from devices to software will be documented to understand the scope of their configuration, versioning, and abilities to be remediated. An inventory will be created to solidify the understanding of the organization into a matrix that can be processed into vulnerability scanning configurations. These efforts will be spearheaded by the Asset Owners and Security Analysts to distill the ability of the various company products to be audited and remediated. As the teams work through their assets to generate an organizational framework, the critical elements of these verticals will be ranked to understand the most valuable assets for oversight and planning.

Assess

The Security Manager, Security Analysts, and Security Engineers will take the organization documentation and produce an assessment on the feasibility and critical nature of the assets, from a technical perspective, a threat model on each asset. Assets will be scanned throughout this phase to give a holistic sense of the applied attack vectors, vulnerabilities, and a score of the assets based on risk.

Report

As the security team made up of the Security Manager, Security Analysts, and Security Engineers, reviews the assess phase output, they will combine the threat models and information gained from the analysis during the identification phase, to produce a report on each of the assets, from common to known vulnerabilities. These reports will become the feedback and instructions to identify the priorities for remediation. These reports will be provided to the Executive Steering Committee and Asset Owners for feedback and prioritization based on the critical nature of the business products.

Remediate

Through remediation stage is focused on the highest priority assets first, outlined by the risk score and the high-risk and critical vulnerabilities. The objective of this phase is for the Security Engineers to upgrade the components that could be threats to the organization and mitigate their risk by replacing dependencies, hardware, software, and outdated configurations.

Communicate

As the security team completes objectives of the policies established because of the reporting phase, the Security Manager will communicate the results and if any identified breaches to the Asset Owners and Executive Steering Committee. These points of contact can handle if needed, outward communication, the direction of internal changes, and communicate any requirements that may appear to support resolving these issues at a larger scale.

Review

In the final stage, the groups will showcase their efforts, understand the result of the remediations, and plan the facilitation of the next iteration. The review phase offers reflection on the success of the identification through the remediation effort and can inform changes, while discussing opportunities for improvement in the cycle, including blockers.

Reporting and training

In the continuous lifecycle of vulnerability management this program will monitor metrics for the bi-weekly remediation schedule, reporting the latest statistics each day based on the following core metrics.

1. Exposure Score will determine the overall vulnerabilities to cyber threats across devices and assets.
2. Security Recommendations will provide prioritized lists of software updates and configurations based on NISTs recommendations and custom polices for the low to critical vulnerabilities.
3. Vulnerability and Device Inventories will reveal affected assets that need to be remediated and prioritized.
4. Threat Intelligence and Breach Likelihood will anticipate the effects of outdated components within the asset inventory and rank them based in monitored real-time threats.

These standards apply to the NIST Common Vulnerability Scoring System, as the exposure score relates to the overall base metric calculation. The security recommendations align with the Confidentiality (VC), Integrity (VI), and Availability (VA). Vulnerability and device inventories can be linked to the Vulnerability Response Effort (RE) and the costs both fixed and variable associated with remediating them. Then the threat intelligence and breach likelihood connects with the Attack Vector (AV), Attack Complexity (AC), and Attack Requirements (AT) considerations for the probabilities of these assets being affected (NVD — CVSS V4 Calculator, n.d.).

As the Executive Steering Committee works to understands the security presence, they will work with the Asset Owners to narrow down the established pillars of consideration based on the verticals that the business operates in.

Yearly interactive training, quarterly circulation of information around security, and ongoing critical trainings will be sent to employees to keep them abridged of the requirements for security focused issues around their job roles. The program will work to inform the business executives through meetings and reports of the recent cyber threats, to then decide how to best educate the staff and mitigate internal exposure.

Auditing and management

On a bi-weekly basis the Security Manager will showcase the results of the security lifecycle to the Executive Steering Committee and the Asset Owners to increase holistic understanding of the process and the upcoming work to be done, from the review phase. This program will update in a cyclical manner, with major changes occurring each quarter, and security team documented processes as each bi-weekly output is produced.

When new assets and verticals are added, the program will create expansion sections that mirror the depth of the original verticals to make sure that the security posture goes unchanged through addition. The new additions will go through a similar drafting process with the Executive Steering Committee, Asset Owners, and Security Team to keep the program at a high standard when intaking new assets.

Third party auditors can review this process with indirect access to the systems by way of the single pane of glass views, based on the configured assets, and the results from the remediations. The reporting that occurs on a bi-weekly basis will stand as the continuous improvement metric and identify the business capacity and opportunities for enhancing the programs application.

Throughout the lifecycle of this program, these policies and procedures will be the forefront guidelines for documentation, the expected results and metrics, and reports. In the Financial Organization Microsoft Sharepoint, these documents will be available for review to the mentioned parties, with the reports and dashboards as outputs of the continuous lifecycle and for review by the internal parties.

In the Sharepoint connected Microsoft OneDrive application these documents will be secured and encrypted behind access controls established through the enterprise identity management and privilege access management configurations in Microsoft Entra Id. On a need to know basis these documents can be obfuscated and shared based on policies established in Microsoft Purview to help securely provide information to internal and third parties.

Continuous monitoring and improvement

When establishing this security program, as the security monitoring and remediation for improvement processes are being documented by the Executive Steering Committee, Asset Owners, and Security Manager the Security Analysts and Engineers will begin developing the Security Information and Event Management (SIEM).

Through this single pane of glass Microsoft Sentinel and Defender management portal, the metrics and reports will be continuously generated and exported to Sharepoint. The real-time occurring threats and vulnerability scores will be visible on the dashboard and as the security team loads in the configurations around the assets, the events will drive the understanding in the environment of the security posture.

Incorporating the assets available through Azure into the enterprise system, with the enterprise tools creates a secure facilitation of risk review, asset discovery, and real-time threat detection. The ability to visualize the effects of these assets when updated and when earmarked for future upgraded will provide the business an intuitive sense of the impacts in the system.

As these standards align with the NIST implementation tiers, the system will reach the ‘Adaptive — Tier 4’ with the ability to automate activities, analyze threats in real time, and capture historical changes and metrics aligned with them (Jha). The instillation of this program will create a breathing system the incorporates the latest standards that is flexible to change and will establish a strong step forward in security posture, mitigating and reducing overall risk to Financial Organization in the ever changing digital world.

Engineering resilience, security, and future-ready software architecture. Follow on X, GitHub, and LinkedIn, and visit https://joealongi.dev/.